/src/detect-fast-pattern.c
https://github.com/decanio/suricata-tilera · C · 19997 lines · 16405 code · 3297 blank · 295 comment · 4164 complexity · 8f001207f0544d429199869e0b3116f1 MD5 · raw file
Large files are truncated click here to view the full file
- /* Copyright (C) 2007-2010 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
- /**
- * \file
- *
- * \author Anoop Saldanha <anoopsaldanha@gmail.com>
- *
- * Implements the fast_pattern keyword
- */
- #include "suricata-common.h"
- #include "detect.h"
- #include "flow.h"
- #include "detect-content.h"
- #include "detect-parse.h"
- #include "detect-engine.h"
- #include "detect-engine-mpm.h"
- #include "detect-fast-pattern.h"
- #include "util-error.h"
- #include "util-debug.h"
- #include "util-unittest.h"
- #include "util-unittest-helper.h"
- #define DETECT_FAST_PATTERN_REGEX "^(\\s*only\\s*)|\\s*([0-9]+)\\s*,\\s*([0-9]+)\\s*$"
- static pcre *parse_regex = NULL;
- static pcre_extra *parse_regex_study = NULL;
- static int DetectFastPatternSetup(DetectEngineCtx *, Signature *, char *);
- void DetectFastPatternRegisterTests(void);
- /* holds the list of sm match lists that need to be searched for a keyword
- * that has fp support */
- SCFPSupportSMList *sm_fp_support_smlist_list = NULL;
- /**
- * \brief Lets one add a sm list id to be searched for potential fp supported
- * keywords later.
- *
- * \param list_id SM list id.
- * \param priority Priority for this list.
- */
- static void SupportFastPatternForSigMatchList(int list_id, int priority)
- {
- if (sm_fp_support_smlist_list == NULL) {
- SCFPSupportSMList *new = SCMalloc(sizeof(SCFPSupportSMList));
- if (unlikely(new == NULL))
- exit(EXIT_FAILURE);
- memset(new, 0, sizeof(SCFPSupportSMList));
- new->list_id = list_id;
- new->priority = priority;
- sm_fp_support_smlist_list = new;
- return;
- }
- /* insertion point - ip */
- SCFPSupportSMList *ip = NULL;
- for (SCFPSupportSMList *tmp = sm_fp_support_smlist_list; tmp != NULL; tmp = tmp->next) {
- if (list_id == tmp->list_id) {
- SCLogError(SC_ERR_FATAL, "SM list already registered.");
- exit(EXIT_FAILURE);
- }
- if (priority <= tmp->priority)
- break;
- ip = tmp;
- }
- SCFPSupportSMList *new = SCMalloc(sizeof(SCFPSupportSMList));
- if (unlikely(new == NULL))
- exit(EXIT_FAILURE);
- memset(new, 0, sizeof(SCFPSupportSMList));
- new->list_id = list_id;
- new->priority = priority;
- if (ip == NULL) {
- new->next = sm_fp_support_smlist_list;
- sm_fp_support_smlist_list = new;
- } else {
- new->next = ip->next;
- ip->next = new;
- }
- for (SCFPSupportSMList *tmp = new->next; tmp != NULL; tmp = tmp->next) {
- if (list_id == tmp->list_id) {
- SCLogError(SC_ERR_FATAL, "SM list already registered.");
- exit(EXIT_FAILURE);
- }
- }
- return;
- }
- /**
- * \brief Registers the keywords(SMs) that should be given fp support.
- */
- void SupportFastPatternForSigMatchTypes(void)
- {
- SupportFastPatternForSigMatchList(DETECT_SM_LIST_HCBDMATCH, 2);
- SupportFastPatternForSigMatchList(DETECT_SM_LIST_HSBDMATCH, 2);
- SupportFastPatternForSigMatchList(DETECT_SM_LIST_HHDMATCH, 2);
- SupportFastPatternForSigMatchList(DETECT_SM_LIST_HRHDMATCH, 2);
- SupportFastPatternForSigMatchList(DETECT_SM_LIST_UMATCH, 2);
- SupportFastPatternForSigMatchList(DETECT_SM_LIST_HRUDMATCH, 2);
- SupportFastPatternForSigMatchList(DETECT_SM_LIST_HHHDMATCH, 2);
- SupportFastPatternForSigMatchList(DETECT_SM_LIST_HRHHDMATCH, 2);
- SupportFastPatternForSigMatchList(DETECT_SM_LIST_HCDMATCH, 2);
- SupportFastPatternForSigMatchList(DETECT_SM_LIST_HUADMATCH, 2);
- SupportFastPatternForSigMatchList(DETECT_SM_LIST_PMATCH, 3);
- SupportFastPatternForSigMatchList(DETECT_SM_LIST_HMDMATCH, 3);
- SupportFastPatternForSigMatchList(DETECT_SM_LIST_HSCDMATCH, 3);
- SupportFastPatternForSigMatchList(DETECT_SM_LIST_HSMDMATCH, 3);
- #if 0
- SCFPSupportSMList *tmp = sm_fp_support_smlist_list;
- while (tmp != NULL) {
- printf("%d - %d\n", tmp->list_id, tmp->priority);
- tmp = tmp->next;
- }
- #endif
- return;
- }
- /**
- * \brief Registration function for fast_pattern keyword
- */
- void DetectFastPatternRegister(void)
- {
- sigmatch_table[DETECT_FAST_PATTERN].name = "fast_pattern";
- sigmatch_table[DETECT_FAST_PATTERN].desc = "force using preceding content in the multi pattern matcher";
- sigmatch_table[DETECT_FAST_PATTERN].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#fast_pattern";
- sigmatch_table[DETECT_FAST_PATTERN].Match = NULL;
- sigmatch_table[DETECT_FAST_PATTERN].Setup = DetectFastPatternSetup;
- sigmatch_table[DETECT_FAST_PATTERN].Free = NULL;
- sigmatch_table[DETECT_FAST_PATTERN].RegisterTests = DetectFastPatternRegisterTests;
- sigmatch_table[DETECT_FAST_PATTERN].flags |= SIGMATCH_PAYLOAD;
- const char *eb;
- int eo;
- int opts = 0;
- parse_regex = pcre_compile(DETECT_FAST_PATTERN_REGEX, opts, &eb, &eo, NULL);
- if(parse_regex == NULL)
- {
- SCLogError(SC_ERR_PCRE_COMPILE, "pcre compile of \"%s\" failed at "
- "offset %" PRId32 ": %s", DETECT_FAST_PATTERN_REGEX, eo, eb);
- goto error;
- }
- parse_regex_study = pcre_study(parse_regex, 0, &eb);
- if(eb != NULL)
- {
- SCLogError(SC_ERR_PCRE_STUDY, "pcre study failed: %s", eb);
- goto error;
- }
- return;
- error:
- /* get some way to return an error code! */
- return;
- }
- //static int DetectFastPatternParseArg(
- /**
- * \brief Configures the previous content context for a fast_pattern modifier
- * keyword used in the rule.
- *
- * \param de_ctx Pointer to the Detection Engine Context.
- * \param s Pointer to the Signature to which the current keyword belongs.
- * \param null_str Should hold an empty string always.
- *
- * \retval 0 On success.
- * \retval -1 On failure.
- */
- static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
- {
- #define MAX_SUBSTRINGS 30
- int ret = 0, res = 0;
- int ov[MAX_SUBSTRINGS];
- const char *arg_substr = NULL;
- DetectContentData *cd = NULL;
- if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL &&
- s->sm_lists_tail[DETECT_SM_LIST_UMATCH] == NULL &&
- s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH] == NULL &&
- s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH] == NULL &&
- s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH] == NULL &&
- s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH] == NULL &&
- s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH] == NULL &&
- s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH] == NULL &&
- s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH] == NULL &&
- s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH] == NULL &&
- s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH] == NULL &&
- s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH] == NULL &&
- s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH] == NULL &&
- s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH] == NULL) {
- SCLogWarning(SC_WARN_COMPATIBILITY, "fast_pattern found inside the "
- "rule, without a preceding content based keyword. "
- "Currently we provide fast_pattern support for content, "
- "uricontent, http_client_body, http_server_body, http_header, "
- "http_raw_header, http_method, http_cookie, "
- "http_raw_uri, http_stat_msg, http_stat_code, "
- "http_user_agent, http_host or http_raw_host option");
- return -1;
- }
- SigMatch *pm = SigMatchGetLastSMFromLists(s, 28,
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
- DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
- if (pm == NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern found inside "
- "the rule, without a content context. Please use a "
- "content based keyword before using fast_pattern");
- return -1;
- }
- cd = pm->ctx;
- if ((cd->flags & DETECT_CONTENT_NEGATED) &&
- ((cd->flags & DETECT_CONTENT_DISTANCE) ||
- (cd->flags & DETECT_CONTENT_WITHIN) ||
- (cd->flags & DETECT_CONTENT_OFFSET) ||
- (cd->flags & DETECT_CONTENT_DEPTH))) {
- /* we can't have any of these if we are having "only" */
- SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern; cannot be "
- "used with negated content, along with relative modifiers");
- goto error;
- }
- if (arg == NULL|| strcmp(arg, "") == 0) {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple fast_pattern "
- "options for the same content");
- goto error;
- }
- else { /*allow only one content to have fast_pattern modifier*/
- int list_id = 0;
- for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
- SigMatch *sm = NULL;
- for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) {
- if (sm->type == DETECT_CONTENT) {
- DetectContentData *tmp_cd = sm->ctx;
- if (tmp_cd->flags & DETECT_CONTENT_FAST_PATTERN) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern "
- "can be used on only one content in a rule");
- goto error;
- }
- }
- } /* for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) */
- }
- }
- cd->flags |= DETECT_CONTENT_FAST_PATTERN;
- return 0;
- }
- /* Execute the regex and populate args with captures. */
- ret = pcre_exec(parse_regex, parse_regex_study, arg,
- strlen(arg), 0, 0, ov, MAX_SUBSTRINGS);
- /* fast pattern only */
- if (ret == 2) {
- if ((cd->flags & DETECT_CONTENT_NEGATED) ||
- (cd->flags & DETECT_CONTENT_DISTANCE) ||
- (cd->flags & DETECT_CONTENT_WITHIN) ||
- (cd->flags & DETECT_CONTENT_OFFSET) ||
- (cd->flags & DETECT_CONTENT_DEPTH)) {
- /* we can't have any of these if we are having "only" */
- SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern: only; cannot be "
- "used with negated content or with any of the relative "
- "modifiers like distance, within, offset, depth");
- goto error;
- }
- cd->flags |= DETECT_CONTENT_FAST_PATTERN_ONLY;
- /* fast pattern chop */
- } else if (ret == 4) {
- res = pcre_get_substring((char *)arg, ov, MAX_SUBSTRINGS,
- 2, &arg_substr);
- if (res < 0) {
- SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed "
- "for fast_pattern offset");
- goto error;
- }
- int offset = atoi(arg_substr);
- if (offset > 65535) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Fast pattern offset exceeds "
- "limit");
- goto error;
- }
- res = pcre_get_substring((char *)arg, ov, MAX_SUBSTRINGS,
- 3, &arg_substr);
- if (res < 0) {
- SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed "
- "for fast_pattern offset");
- goto error;
- }
- int length = atoi(arg_substr);
- if (offset > 65535) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Fast pattern length exceeds "
- "limit");
- goto error;
- }
- if (offset + length > 65535) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Fast pattern (length + offset) "
- "exceeds limit pattern length limit");
- goto error;
- }
- if (offset + length > cd->content_len) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Fast pattern (length + "
- "offset (%u)) exceeds pattern length (%u)",
- offset + length, cd->content_len);
- goto error;
- }
- cd->fp_chop_offset = offset;
- cd->fp_chop_len = length;
- cd->flags |= DETECT_CONTENT_FAST_PATTERN_CHOP;
- } else {
- SCLogError(SC_ERR_PCRE_PARSE, "parse error, ret %" PRId32
- ", string %s", ret, arg);
- goto error;
- }
- //int args;
- //args = 0;
- //printf("ret-%d\n", ret);
- //for (args = 0; args < ret; args++) {
- // res = pcre_get_substring((char *)arg, ov, MAX_SUBSTRINGS,
- // args, &arg_substr);
- // if (res < 0) {
- // SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed "
- // "for arg 1");
- // goto error;
- // }
- // printf("%d-%s\n", args, arg_substr);
- //}
- cd->flags |= DETECT_CONTENT_FAST_PATTERN;
- return 0;
- error:
- return -1;
- }
- /*----------------------------------Unittests---------------------------------*/
- #ifdef UNITTESTS
- /**
- * \test Checks if a fast_pattern is registered in a Signature
- */
- int DetectFastPatternTest01(void)
- {
- SigMatch *sm = NULL;
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"/one/\"; tcpv4-csum:valid; fast_pattern; "
- "msg:\"Testing fast_pattern\"; sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH];
- while (sm != NULL) {
- if (sm->type == DETECT_CONTENT) {
- if ( ((DetectContentData *)sm->ctx)->flags &
- DETECT_CONTENT_FAST_PATTERN) {
- result = 1;
- break;
- } else {
- result = 0;
- break;
- }
- }
- sm = sm->next;
- }
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- /**
- * \test Checks if a fast_pattern is registered in a Signature
- */
- int DetectFastPatternTest02(void)
- {
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"/one/\"; fast_pattern; "
- "content:\"boo\"; fast_pattern; "
- "msg:\"Testing fast_pattern\"; sid:1;)");
- if (de_ctx->sig_list != NULL)
- goto end;
- result = 1;
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- /**
- * \test Checks that we have no fast_pattern registerd for a Signature when the
- * Signature doesn't contain a fast_pattern
- */
- int DetectFastPatternTest03(void)
- {
- SigMatch *sm = NULL;
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"/one/\"; "
- "msg:\"Testing fast_pattern\"; sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH];
- while (sm != NULL) {
- if (sm->type == DETECT_CONTENT) {
- if ( !(((DetectContentData *)sm->ctx)->flags &
- DETECT_CONTENT_FAST_PATTERN)) {
- result = 1;
- } else {
- result = 0;
- break;
- }
- }
- sm = sm->next;
- }
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- /**
- * \test Checks that a fast_pattern is not registered in a Signature, when we
- * supply a fast_pattern with an argument
- */
- int DetectFastPatternTest04(void)
- {
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"/one/\"; fast_pattern:boo; "
- "msg:\"Testing fast_pattern\"; sid:1;)");
- if (de_ctx->sig_list == NULL)
- result = 1;
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- /**
- * \test Checks that a fast_pattern is used in the mpm phase.
- */
- int DetectFastPatternTest05(void)
- {
- uint8_t *buf = (uint8_t *) "Oh strin1. But what "
- "strin2. This is strings3. We strins_str4. we "
- "have strins_string5";
- uint16_t buflen = strlen((char *)buf);
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- p = UTHBuildPacket(buf,buflen,IPPROTO_TCP);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"fast_pattern test\"; content:\"string1\"; "
- "content:\"string2\"; content:\"strings3\"; fast_pattern; "
- "content:\"strings_str4\"; content:\"strings_string5\"; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf("sig parse failed: ");
- goto end;
- }
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- /* start the search phase */
- det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (PacketPatternSearchWithStreamCtx(det_ctx, p) != 0)
- result = 1;
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- end:
- UTHFreePackets(&p, 1);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- /**
- * \test Checks that a fast_pattern is used in the mpm phase.
- */
- int DetectFastPatternTest06(void)
- {
- uint8_t *buf = (uint8_t *) "Oh this is a string1. But what is this with "
- "string2. This is strings3. We have strings_str4. We also have "
- "strings_string5";
- uint16_t buflen = strlen((char *)buf);
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- p = UTHBuildPacket(buf,buflen,IPPROTO_TCP);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"fast_pattern test\"; content:\"string1\"; "
- "content:\"string2\"; content:\"strings3\"; fast_pattern; "
- "content:\"strings_str4\"; content:\"strings_string5\"; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- /* start the search phase */
- det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (PacketPatternSearchWithStreamCtx(det_ctx, p) != 0)
- result = 1;
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- end:
- UTHFreePackets(&p, 1);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- /**
- * \test Checks that a fast_pattern is used in the mpm phase, when the payload
- * doesn't contain the fast_pattern string within it.
- */
- int DetectFastPatternTest07(void)
- {
- uint8_t *buf = (uint8_t *) "Dummy is our name. Oh yes. From right here "
- "right now, all the way to hangover. right. now here comes our "
- "dark knight strings_string5. Yes here is our dark knight";
- uint16_t buflen = strlen((char *)buf);
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- p = UTHBuildPacket(buf,buflen,IPPROTO_TCP);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"fast_pattern test\"; content:\"string1\"; "
- "content:\"string2\"; content:\"strings3\"; fast_pattern; "
- "content:\"strings_str4\"; content:\"strings_string5\"; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- /* start the search phase */
- det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (PacketPatternSearchWithStreamCtx(det_ctx, p) == 0)
- result = 1;
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- end:
- UTHFreePackets(&p, 1);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- /**
- * \test Checks that a fast_pattern is used in the mpm phase and that we get
- * exactly 1 match for the mpm phase.
- */
- int DetectFastPatternTest08(void)
- {
- uint8_t *buf = (uint8_t *) "Dummy is our name. Oh yes. From right here "
- "right now, all the way to hangover. right. now here comes our "
- "dark knight strings3. Yes here is our dark knight";
- uint16_t buflen = strlen((char *)buf);
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- p = UTHBuildPacket(buf,buflen,IPPROTO_TCP);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- printf("de_ctx init: ");
- goto end;
- }
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"fast_pattern test\"; content:\"string1\"; "
- "content:\"string2\"; content:\"strings3\"; fast_pattern; "
- "content:\"strings_str4\"; content:\"strings_string5\"; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf("sig parse failed: ");
- goto end;
- }
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- /* start the search phase */
- det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- uint32_t r = PacketPatternSearchWithStreamCtx(det_ctx, p);
- if (r != 1) {
- printf("expected 1, got %"PRIu32": ", r);
- goto end;
- }
- result = 1;
- end:
- UTHFreePackets(&p, 1);
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- /**
- * \test Checks that a fast_pattern is used in the mpm phase, when the payload
- * doesn't contain the fast_pattern string within it.
- */
- int DetectFastPatternTest09(void)
- {
- uint8_t *buf = (uint8_t *) "Dummy is our name. Oh yes. From right here "
- "right now, all the way to hangover. right. no_strings4 _imp now here "
- "comes our dark knight strings3. Yes here is our dark knight";
- uint16_t buflen = strlen((char *)buf);
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- p = UTHBuildPacket(buf,buflen,IPPROTO_TCP);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"fast_pattern test\"; content:\"string1\"; "
- "content:\"string2\"; content:\"strings3\"; "
- "content:\"strings4_imp\"; fast_pattern; "
- "content:\"strings_string5\"; sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- /* start the search phase */
- det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (PacketPatternSearchWithStreamCtx(det_ctx, p) == 0)
- result = 1;
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- end:
- UTHFreePackets(&p, 1);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- /**
- * \test Checks that a the SigInit chooses the fast_pattern with better pattern
- * strength, when we have multiple fast_patterns in the Signature. Also
- * checks that we get a match for the fast_pattern from the mpm phase.
- */
- int DetectFastPatternTest10(void)
- {
- uint8_t *buf = (uint8_t *) "Dummy is our name. Oh yes. From right here "
- "right now, all the way to hangover. right. strings4_imp now here "
- "comes our dark knight strings5. Yes here is our dark knight";
- uint16_t buflen = strlen((char *)buf);
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- p = UTHBuildPacket(buf,buflen,IPPROTO_TCP);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- printf("de_ctx init: ");
- goto end;
- }
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"fast_pattern test\"; content:\"string1\"; "
- "content:\"string2\"; content:\"strings3\"; "
- "content:\"strings4_imp\"; fast_pattern; "
- "content:\"strings_string5\"; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf("sig parse failed: ");
- goto end;
- }
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- /* start the search phase */
- det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- uint32_t r = PacketPatternSearchWithStreamCtx(det_ctx, p);
- if (r != 1) {
- printf("expected 1, got %"PRIu32": ", r);
- goto end;
- }
- result = 1;
- end:
- UTHFreePackets(&p, 1);
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- /**
- * \test Checks that a the SigInit chooses the fast_pattern with better pattern
- * strength, when we have multiple fast_patterns in the Signature. Also
- * checks that we get no matches for the fast_pattern from the mpm phase.
- */
- int DetectFastPatternTest11(void)
- {
- uint8_t *buf = (uint8_t *) "Dummy is our name. Oh yes. From right here "
- "right now, all the way to hangover. right. strings5_imp now here "
- "comes our dark knight strings5. Yes here is our dark knight";
- uint16_t buflen = strlen((char *)buf);
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- p = UTHBuildPacket(buf,buflen,IPPROTO_TCP);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"fast_pattern test\"; content:\"string1\"; "
- "content:\"string2\"; content:\"strings3\"; "
- "content:\"strings4_imp\"; fast_pattern; "
- "content:\"strings_string5\"; sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- /* start the search phase */
- det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (PacketPatternSearchWithStreamCtx(det_ctx, p) == 0)
- result = 1;
- end:
- UTHFreePackets(&p, 1);
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- if (det_ctx != NULL)
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- DetectEngineCtxFree(de_ctx);
- }
- return result;
- }
- /**
- * \test Checks that we don't get a match for the mpm phase.
- */
- int DetectFastPatternTest12(void)
- {
- uint8_t *buf = (uint8_t *) "Dummy is our name. Oh yes. From right here "
- "right now, all the way to hangover. right. strings5_imp now here "
- "comes our dark knight strings5. Yes here is our dark knight";
- uint16_t buflen = strlen((char *)buf);
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- p = UTHBuildPacket(buf,buflen,IPPROTO_TCP);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"fast_pattern test\"; content:\"string1\"; "
- "content:\"string2\"; content:\"strings3\"; "
- "content:\"strings4_imp\"; "
- "content:\"strings_string5\"; sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- /* start the search phase */
- det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (PacketPatternSearchWithStreamCtx(det_ctx, p) == 0)
- result = 1;
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- end:
- UTHFreePackets(&p, 1);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- /**
- * \test Checks that a the SigInit chooses the fast_pattern with a better
- * strength from the available patterns, when we don't specify a
- * fast_pattern. We also check that we get a match from the mpm
- * phase.
- */
- int DetectFastPatternTest13(void)
- {
- uint8_t *buf = (uint8_t *) "Dummy is our name. Oh yes. From right here "
- "right now, all the way to hangover. right. strings5_imp now here "
- "comes our dark knight strings_string5. Yes here is our dark knight";
- uint16_t buflen = strlen((char *)buf);
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- p = UTHBuildPacket(buf,buflen,IPPROTO_TCP);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- printf("de_ctx init: ");
- goto end;
- }
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"fast_pattern test\"; content:\"string1\"; "
- "content:\"string2\"; content:\"strings3\"; "
- "content:\"strings4_imp\"; "
- "content:\"strings_string5\"; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf("sig parse failed: ");
- goto end;
- }
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- /* start the search phase */
- det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- uint32_t r = PacketPatternSearchWithStreamCtx(det_ctx, p);
- if (r != 1) {
- printf("expected 1 result, got %"PRIu32": ", r);
- goto end;
- }
- result = 1;
- end:
- UTHFreePackets(&p, 1);
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- /**
- * \test Checks to make sure that other sigs work that should when fast_pattern is inspecting on the same payload
- *
- */
- int DetectFastPatternTest14(void)
- {
- uint8_t *buf = (uint8_t *) "Dummy is our name. Oh yes. From right here "
- "right now, all the way to hangover. right. strings5_imp now here "
- "comes our dark knight strings_string5. Yes here is our dark knight";
- uint16_t buflen = strlen((char *)buf);
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- int alertcnt = 0;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
- p = UTHBuildPacket(buf,buflen,IPPROTO_TCP);
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- FlowInitConfig(FLOW_QUIET);
- de_ctx->mpm_matcher = MPM_B3G;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"fast_pattern test\"; content:\"strings_string5\"; content:\"knight\"; fast_pattern; sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"test different content\"; content:\"Dummy is our name\"; sid:2;)");
- if (de_ctx->sig_list->next == NULL)
- goto end;
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)){
- alertcnt++;
- }else{
- SCLogInfo("could not match on sig 1 with when fast_pattern is inspecting payload");
- goto end;
- }
- if (PacketAlertCheck(p, 2)){
- result = 1;
- }else{
- SCLogInfo("match on sig 1 fast_pattern no match sig 2 inspecting same payload");
- }
- end:
- UTHFreePackets(&p, 1);
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- DetectEngineCtxFree(de_ctx);
- FlowShutdown();
- return result;
- }
- /**
- * \test Checks if a fast_pattern is registered in a Signature
- */
- int DetectFastPatternTest15(void)
- {
- SigMatch *sm = NULL;
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"/one/\"; fast_pattern:only; "
- "msg:\"Testing fast_pattern\"; sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH];
- while (sm != NULL) {
- if (sm->type == DETECT_CONTENT) {
- if ( ((DetectContentData *)sm->ctx)->flags &
- DETECT_CONTENT_FAST_PATTERN) {
- result = 1;
- break;
- } else {
- result = 0;
- break;
- }
- }
- sm = sm->next;
- }
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- /**
- * \test Checks if a fast_pattern is registered in a Signature
- */
- int DetectFastPatternTest16(void)
- {
- SigMatch *sm = NULL;
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"oneoneone\"; fast_pattern:3,4; "
- "msg:\"Testing fast_pattern\"; sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH];
- while (sm != NULL) {
- if (sm->type == DETECT_CONTENT) {
- if ( ((DetectContentData *)sm->ctx)->flags &
- DETECT_CONTENT_FAST_PATTERN) {
- result = 1;
- break;
- } else {
- result = 0;
- break;
- }
- }
- sm = sm->next;
- }
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- int DetectFastPatternTest17(void)
- {
- SigMatch *sm = NULL;
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"one\"; fast_pattern:only; sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH];
- DetectContentData *cd = sm->ctx;
- if (sm->type == DETECT_CONTENT) {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN &&
- cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
- !(cd->flags & cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
- cd->fp_chop_offset == 0 &&
- cd->fp_chop_len == 0) {
- result = 1;
- } else {
- result = 0;
- }
- }
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- int DetectFastPatternTest18(void)
- {
- SigMatch *sm = NULL;
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"oneoneone\"; fast_pattern:3,4; sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- result = 0;
- sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH];
- DetectContentData *cd = sm->ctx;
- if (sm->type == DETECT_CONTENT) {
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN &&
- !(cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
- cd->flags & cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
- cd->fp_chop_offset == 3 &&
- cd->fp_chop_len == 4) {
- result = 1;
- } else {
- result = 0;
- }
- }
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- int DetectFastPatternTest19(void)
- {
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"one\"; content:\"two\"; fast_pattern:only; distance:10; sid:1;)");
- if (de_ctx->sig_list != NULL)
- goto end;
- result = 1;
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- int DetectFastPatternTest20(void)
- {
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"one\"; content:\"two\"; distance:10; fast_pattern:only; sid:1;)");
- if (de_ctx->sig_list != NULL)
- goto end;
- result = 1;
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- int DetectFastPatternTest21(void)
- {
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"one\"; content:\"two\"; fast_pattern:only; within:10; sid:1;)");
- if (de_ctx->sig_list != NULL)
- goto end;
- result = 1;
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- int DetectFastPatternTest22(void)
- {
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"one\"; content:\"two\"; within:10; fast_pattern:only; sid:1;)");
- if (de_ctx->sig_list != NULL)
- goto end;
- result = 1;
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- int DetectFastPatternTest23(void)
- {
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"one\"; content:\"two\"; fast_pattern:only; offset:10; sid:1;)");
- if (de_ctx->sig_list != NULL)
- goto end;
- result = 1;
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- int DetectFastPatternTest24(void)
- {
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"one\"; content:\"two\"; offset:10; fast_pattern:only; sid:1;)");
- if (de_ctx->sig_list != NULL)
- goto end;
- result = 1;
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- int DetectFastPatternTest25(void)
- {
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"one\"; content:\"two\"; fast_pattern:only; depth:10; sid:1;)");
- if (de_ctx->sig_list != NULL)
- goto end;
- result = 1;
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- int DetectFastPatternTest26(void)
- {
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"one\"; content:\"two\"; depth:10; fast_pattern:only; sid:1;)");
- if (de_ctx->sig_list != NULL)
- goto end;
- result = 1;
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- int DetectFastPatternTest27(void)
- {
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"one\"; content:!\"two\"; fast_pattern:only; sid:1;)");
- if (de_ctx->sig_list != NULL)
- goto end;
- result = 1;
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- int DetectFastPatternTest28(void)
- {
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content: \"one\"; content:\"two\"; distance:30; content:\"two\"; fast_pattern:only; sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- DetectContentData *cd = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN &&
- cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
- !(cd->flags & cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
- cd->fp_chop_offset == 0 &&
- cd->fp_chop_len == 0) {
- result = 1;
- } else {
- result = 0;
- }
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- int DetectFastPatternTest29(void)
- {
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"one\"; content:\"two\"; within:30; content:\"two\"; fast_pattern:only; sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- DetectContentData *cd = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN &&
- cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
- !(cd->flags & cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
- cd->fp_chop_offset == 0 &&
- cd->fp_chop_len == 0) {
- result = 1;
- } else {
- result = 0;
- }
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- int DetectFastPatternTest30(void)
- {
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"one\"; content:\"two\"; offset:30; content:\"two\"; fast_pattern:only; sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- DetectContentData *cd = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN &&
- cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
- !(cd->flags & cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
- cd->fp_chop_offset == 0 &&
- cd->fp_chop_len == 0) {
- result = 1;
- } else {
- result = 0;
- }
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- int DetectFastPatternTest31(void)
- {
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"one\"; content:\"two\"; depth:30; content:\"two\"; fast_pattern:only; sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- DetectContentData *cd = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN &&
- cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
- !(cd->flags & cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
- cd->fp_chop_offset == 0 &&
- cd->fp_chop_len == 0) {
- result = 1;
- } else {
- result = 0;
- }
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- int DetectFastPatternTest32(void)
- {
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:!\"one\"; fast_pattern; content:\"two\"; sid:1;)");
- if (de_ctx->sig_list == NULL)
- goto end;
- DetectContentData *cd = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
- if (cd->flags & DETECT_CONTENT_FAST_PATTERN &&
- cd->flags & DETECT_CONTENT_NEGATED &&
- !(cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
- !(cd->flags & cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
- cd->fp_chop_offset == 0 &&
- cd->fp_chop_len == 0) {
- result = 1;
- } else {
- result = 0;
- }
- end:
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- return result;
- }
- int DetectFastPatternTest33(void)
- {
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- if ( (de_ctx = DetectEngineCtxInit()) == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
- "(content:\"two\"; content:!\"one\"; fast_pattern; distance:20; sid:1;)");
- if (de_ctx->sig_list != NULL)
- goto end;
- result = 1;
- end:
- SigCleanSignatur…