diff --git a/src/detect-bytejump.c b/src/detect-bytejump.c index e2960f4a13..7dc2179372 100644 --- a/src/detect-bytejump.c +++ b/src/detect-bytejump.c @@ -603,6 +603,12 @@ int DetectBytejumpSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) break; + case DETECT_BYTEJUMP: + SCLogDebug("No setting relative_next for bytejump. We " + "have no use for it"); + + break; + default: /* this will never hit */ SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c index a87c0517d2..edd15a0e39 100644 --- a/src/detect-bytetest.c +++ b/src/detect-bytetest.c @@ -619,6 +619,12 @@ int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, char *optstr) break; + case DETECT_BYTEJUMP: + SCLogDebug("No setting relative_next for bytejump. We " + "have no use for it"); + + break; + default: /* this will never hit */ SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" diff --git a/src/detect-distance.c b/src/detect-distance.c index 3102d4b555..2b1ea90269 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -97,7 +97,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, DETECT_PCRE, s->pmatch_tail, DETECT_BYTEJUMP, s->pmatch_tail); if (pm1_ots != NULL && pm1_ots->prev != NULL) { - pm2_ots = SigMatchGetLastSMFromLists(s, 2, + pm2_ots = SigMatchGetLastSMFromLists(s, 6, DETECT_CONTENT, pm1_ots->prev, DETECT_PCRE, pm1_ots->prev, DETECT_BYTEJUMP, pm1_ots->prev); @@ -265,6 +265,12 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, break; + case DETECT_BYTEJUMP: + SCLogDebug("No setting relative_next for bytejump. We " + "have no use for it"); + + break; + default: /* this will never hit */ SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" diff --git a/src/detect-engine-dcepayload.c b/src/detect-engine-dcepayload.c index 62ae4f76c9..2ebf3b064b 100644 --- a/src/detect-engine-dcepayload.c +++ b/src/detect-engine-dcepayload.c @@ -7840,10 +7840,132 @@ int DcePayloadParseTest25(void) result = 0; goto end; } + if (s->pmatch_tail == NULL) { + result = 0; + goto end; + } + + sm = s->pmatch; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + goto end; + } + result &= (strncmp((char *)data->content, "one", 3) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + goto end; + } + result &= (strncmp((char *)data->content, "two", 3) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + goto end; + } + result &= (strncmp((char *)data->content, "three", 5) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + !(data->flags & DETECT_CONTENT_DISTANCE) || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + goto end; + } + result &= (strncmp((char *)data->content, "four", 4) == 0); + if (result == 0) + goto end; + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Test content for dce sig. + */ +int DcePayloadParseTest26(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + Signature *s = NULL; + SigMatch *sm = NULL; + DetectContentData *data = NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_stub_data; " + "content: one; " + "content:two; " + "content:three; within:5; " + "content:four; distance:10; " + "sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + if (s->dmatch_tail != NULL) { result = 0; goto end; } + if (s->pmatch_tail == NULL) { + result = 0; + goto end; + } sm = s->pmatch; if (sm->type != DETECT_CONTENT) { @@ -7858,6 +7980,7 @@ int DcePayloadParseTest25(void) data->flags & DETECT_CONTENT_FAST_PATTERN || data->flags & DETECT_CONTENT_NEGATED ) { result = 0; + printf("one failed\n"); goto end; } result &= (strncmp((char *)data->content, "one", 3) == 0); @@ -7877,6 +8000,133 @@ int DcePayloadParseTest25(void) data->flags & DETECT_CONTENT_FAST_PATTERN || data->flags & DETECT_CONTENT_NEGATED ) { result = 0; + printf("two failed\n"); + goto end; + } + result &= (strncmp((char *)data->content, "two", 3) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + printf("three failed\n"); + result = 0; + goto end; + } + result &= (strncmp((char *)data->content, "three", 5) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + !(data->flags & DETECT_CONTENT_DISTANCE) || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + printf("four failed\n"); + result = 0; + goto end; + } + result &= (strncmp((char *)data->content, "four", 4) == 0); + if (result == 0) + goto end; + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Test content for dce sig. + */ +int DcePayloadParseTest27(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + Signature *s = NULL; + SigMatch *sm = NULL; + DetectContentData *data = NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_stub_data; " + "content: one; distance:10; within:5; " + "content:two; within:5;" + "content:three; within:5; " + "content:four; distance:10; " + "sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + if (s->pmatch_tail != NULL) { + result = 0; + goto end; + } + + sm = s->dmatch; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + !(data->flags & DETECT_CONTENT_DISTANCE) || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + printf("one failed\n"); + goto end; + } + result &= (strncmp((char *)data->content, "one", 3) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + printf("two failed\n"); goto end; } result &= (strncmp((char *)data->content, "two", 3) == 0); @@ -7895,6 +8145,853 @@ int DcePayloadParseTest25(void) data->flags & DETECT_CONTENT_DISTANCE || data->flags & DETECT_CONTENT_FAST_PATTERN || data->flags & DETECT_CONTENT_NEGATED ) { + printf("three failed\n"); + result = 0; + goto end; + } + result &= (strncmp((char *)data->content, "three", 5) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + !(data->flags & DETECT_CONTENT_DISTANCE) || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + printf("four failed\n"); + result = 0; + goto end; + } + result &= (strncmp((char *)data->content, "four", 4) == 0); + if (result == 0) + goto end; + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Test content for dce sig. + */ +int DcePayloadParseTest28(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + Signature *s = NULL; + SigMatch *sm = NULL; + DetectContentData *data = NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_stub_data; " + "content: one; distance:10; within:5; " + "content:two; within:5;" + "content:three;" + "content:four;" + "sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + if (s->pmatch_tail == NULL) { + result = 0; + goto end; + } + + sm = s->dmatch; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + !(data->flags & DETECT_CONTENT_DISTANCE) || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + printf("one failed\n"); + goto end; + } + result &= (strncmp((char *)data->content, "one", 3) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + printf("two failed\n"); + goto end; + } + result &= (strncmp((char *)data->content, "two", 3) == 0); + if (result == 0) + goto end; + + sm = s->pmatch; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + printf("three failed\n"); + result = 0; + goto end; + } + result &= (strncmp((char *)data->content, "three", 5) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + printf("four failed\n"); + result = 0; + goto end; + } + result &= (strncmp((char *)data->content, "four", 4) == 0); + if (result == 0) + goto end; + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Test content for dce sig. + */ +int DcePayloadParseTest29(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + Signature *s = NULL; + SigMatch *sm = NULL; + DetectContentData *data = NULL; + DetectPcreData *pd = NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_stub_data; " + "pcre:/boom/; " + "content:one; distance:10; within:5; " + "content:two; within:5;" + "content:three;" + "content:four;" + "sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + if (s->dmatch_tail != NULL) { + result = 0; + goto end; + } + if (s->pmatch_tail == NULL) { + result = 0; + goto end; + } + + sm = s->pmatch; + if (sm->type != DETECT_PCRE) { + result = 0; + goto end; + } + pd = (DetectPcreData *)sm->ctx; + if (pd->flags & DETECT_CONTENT_RAWBYTES || + pd->flags & DETECT_PCRE_RELATIVE) { + result = 0; + printf("one failed\n"); + goto end; + } + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + !(data->flags & DETECT_CONTENT_DISTANCE) || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + printf("one failed\n"); + goto end; + } + result &= (strncmp((char *)data->content, "one", 3) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + printf("two failed\n"); + goto end; + } + result &= (strncmp((char *)data->content, "two", 3) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + printf("three failed\n"); + result = 0; + goto end; + } + result &= (strncmp((char *)data->content, "three", 5) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + printf("four failed\n"); + result = 0; + goto end; + } + result &= (strncmp((char *)data->content, "four", 4) == 0); + if (result == 0) + goto end; + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Test content for dce sig. + */ +int DcePayloadParseTest30(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + Signature *s = NULL; + SigMatch *sm = NULL; + DetectContentData *data = NULL; + DetectBytejumpData *bd = NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_stub_data; " + "byte_jump:2,5; " + "content:one; distance:10; within:5; " + "content:two; within:5;" + "content:three;" + "content:four;" + "sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + if (s->dmatch_tail != NULL) { + result = 0; + goto end; + } + if (s->pmatch_tail == NULL) { + result = 0; + goto end; + } + + sm = s->pmatch; + if (sm->type != DETECT_BYTEJUMP) { + result = 0; + goto end; + } + bd = (DetectBytejumpData *)sm->ctx; + if (bd->flags & DETECT_BYTEJUMP_BEGIN || + bd->flags & DETECT_BYTEJUMP_LITTLE || + bd->flags & DETECT_BYTEJUMP_BIG || + bd->flags & DETECT_BYTEJUMP_STRING || + bd->flags & DETECT_BYTEJUMP_RELATIVE || + bd->flags & DETECT_BYTEJUMP_ALIGN || + bd->flags & DETECT_BYTEJUMP_DCE ) { + result = 0; + printf("one failed\n"); + goto end; + } + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + !(data->flags & DETECT_CONTENT_DISTANCE) || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + printf("one failed\n"); + goto end; + } + result &= (strncmp((char *)data->content, "one", 3) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + printf("two failed\n"); + goto end; + } + result &= (strncmp((char *)data->content, "two", 3) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + printf("three failed\n"); + result = 0; + goto end; + } + result &= (strncmp((char *)data->content, "three", 5) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + printf("four failed\n"); + result = 0; + goto end; + } + result &= (strncmp((char *)data->content, "four", 4) == 0); + if (result == 0) + goto end; + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Test content for dce sig. + */ +int DcePayloadParseTest31(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + Signature *s = NULL; + SigMatch *sm = NULL; + DetectContentData *data = NULL; + DetectBytejumpData *bd = NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_stub_data; " + "byte_jump:2,5,relative; " + "content:one; distance:10; within:5; " + "content:two; within:5;" + "content:three;" + "content:four;" + "sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + if (s->pmatch_tail == NULL) { + result = 0; + goto end; + } + + sm = s->dmatch; + if (sm->type != DETECT_BYTEJUMP) { + result = 0; + goto end; + } + bd = (DetectBytejumpData *)sm->ctx; + if (bd->flags & DETECT_BYTEJUMP_BEGIN || + bd->flags & DETECT_BYTEJUMP_LITTLE || + bd->flags & DETECT_BYTEJUMP_BIG || + bd->flags & DETECT_BYTEJUMP_STRING || + !(bd->flags & DETECT_BYTEJUMP_RELATIVE) || + bd->flags & DETECT_BYTEJUMP_ALIGN || + bd->flags & DETECT_BYTEJUMP_DCE ) { + result = 0; + printf("one failed\n"); + goto end; + } + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + !(data->flags & DETECT_CONTENT_DISTANCE) || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + printf("one failed\n"); + goto end; + } + result &= (strncmp((char *)data->content, "one", 3) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + printf("two failed\n"); + goto end; + } + result &= (strncmp((char *)data->content, "two", 3) == 0); + if (result == 0) + goto end; + + sm = s->pmatch; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + printf("three failed\n"); + result = 0; + goto end; + } + result &= (strncmp((char *)data->content, "three", 5) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + printf("four failed\n"); + result = 0; + goto end; + } + result &= (strncmp((char *)data->content, "four", 4) == 0); + if (result == 0) + goto end; + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Test content for dce sig. + */ +int DcePayloadParseTest32(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + Signature *s = NULL; + SigMatch *sm = NULL; + DetectContentData *data = NULL; + DetectBytejumpData *bd = NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_stub_data; " + "byte_jump:2,5,relative; " + "content:one; distance:10; within:5; " + "content:two; within:5;" + "content:three;" + "content:four; within:4; " + "sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + if (s->pmatch_tail == NULL) { + result = 0; + goto end; + } + + sm = s->dmatch; + if (sm->type != DETECT_BYTEJUMP) { + result = 0; + goto end; + } + bd = (DetectBytejumpData *)sm->ctx; + if (bd->flags & DETECT_BYTEJUMP_BEGIN || + bd->flags & DETECT_BYTEJUMP_LITTLE || + bd->flags & DETECT_BYTEJUMP_BIG || + bd->flags & DETECT_BYTEJUMP_STRING || + !(bd->flags & DETECT_BYTEJUMP_RELATIVE) || + bd->flags & DETECT_BYTEJUMP_ALIGN || + bd->flags & DETECT_BYTEJUMP_DCE ) { + result = 0; + printf("one failed\n"); + goto end; + } + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + !(data->flags & DETECT_CONTENT_DISTANCE) || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + printf("one failed\n"); + goto end; + } + result &= (strncmp((char *)data->content, "one", 3) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + printf("two failed\n"); + goto end; + } + result &= (strncmp((char *)data->content, "two", 3) == 0); + if (result == 0) + goto end; + + sm = s->pmatch; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + printf("three failed\n"); + result = 0; + goto end; + } + result &= (strncmp((char *)data->content, "three", 5) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + printf("four failed\n"); + result = 0; + goto end; + } + result &= (strncmp((char *)data->content, "four", 4) == 0); + if (result == 0) + goto end; + + end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +/** + * \test Test content for dce sig. + */ +int DcePayloadParseTest33(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 1; + Signature *s = NULL; + SigMatch *sm = NULL; + DetectContentData *data = NULL; + DetectPcreData *pd = NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing bytejump_body\"; " + "dce_stub_data; " + "pcre:/boom/R; " + "content:one; distance:10; within:5; " + "content:two; within:5;" + "content:three;" + "content:four; distance:5;" + "sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + if (s->dmatch_tail == NULL) { + result = 0; + goto end; + } + if (s->pmatch_tail == NULL) { + result = 0; + goto end; + } + + sm = s->dmatch; + if (sm->type != DETECT_PCRE) { + result = 0; + goto end; + } + pd = (DetectPcreData *)sm->ctx; + if ( pd->flags & DETECT_CONTENT_RAWBYTES || + !(pd->flags & DETECT_PCRE_RELATIVE)) { + result = 0; + printf("one failed\n"); + goto end; + } + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + !(data->flags & DETECT_CONTENT_DISTANCE) || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + printf("one failed\n"); + goto end; + } + result &= (strncmp((char *)data->content, "one", 3) == 0); + if (result == 0) + goto end; + + sm = sm->next; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + !(data->flags & DETECT_CONTENT_WITHIN) || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + result = 0; + printf("two failed\n"); + goto end; + } + result &= (strncmp((char *)data->content, "two", 3) == 0); + if (result == 0) + goto end; + + sm = s->pmatch; + if (sm->type != DETECT_CONTENT) { + result = 0; + goto end; + } + data = (DetectContentData *)sm->ctx; + if (data->flags & DETECT_CONTENT_RAWBYTES || + data->flags & DETECT_CONTENT_NOCASE || + data->flags & DETECT_CONTENT_WITHIN || + data->flags & DETECT_CONTENT_DISTANCE || + data->flags & DETECT_CONTENT_FAST_PATTERN || + data->flags & DETECT_CONTENT_NEGATED ) { + printf("three failed\n"); result = 0; goto end; } @@ -7914,6 +9011,7 @@ int DcePayloadParseTest25(void) !(data->flags & DETECT_CONTENT_DISTANCE) || data->flags & DETECT_CONTENT_FAST_PATTERN || data->flags & DETECT_CONTENT_NEGATED ) { + printf("four failed\n"); result = 0; goto end; } @@ -7961,6 +9059,14 @@ void DcePayloadRegisterTests(void) UtRegisterTest("DcePayloadTest24", DcePayloadTest24, 1); UtRegisterTest("DcePayloadParseTest25", DcePayloadParseTest25, 1); + UtRegisterTest("DcePayloadParseTest26", DcePayloadParseTest26, 1); + UtRegisterTest("DcePayloadParseTest27", DcePayloadParseTest27, 1); + UtRegisterTest("DcePayloadParseTest28", DcePayloadParseTest28, 1); + UtRegisterTest("DcePayloadParseTest29", DcePayloadParseTest29, 1); + UtRegisterTest("DcePayloadParseTest30", DcePayloadParseTest30, 1); + UtRegisterTest("DcePayloadParseTest31", DcePayloadParseTest31, 1); + UtRegisterTest("DcePayloadParseTest32", DcePayloadParseTest32, 1); + UtRegisterTest("DcePayloadParseTest33", DcePayloadParseTest33, 1); #endif /* UNITTESTS */ return; diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index 8e7f664193..1a4fd42cb7 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -301,6 +301,12 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst break; + case DETECT_BYTEJUMP: + SCLogDebug("No setting relative_next for bytejump. We " + "have no use for it"); + + break; + default: /* this will never hit */ SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-" diff --git a/src/detect-parse.c b/src/detect-parse.c index cf4f7f171c..2b2e66c5a4 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -520,16 +520,15 @@ void SigMatchTransferSigMatchAcrossLists(SigMatch *sm, { /* we won't do any checks for args */ - if (sm == *src_sm_list) { - *src_sm_list = sm->next; - } else { + if (sm->prev != NULL) sm->prev->next = sm->next; + if (sm->next != NULL) sm->next->prev = sm->prev; - } - if (sm == *src_sm_list_tail) { + if (sm == *src_sm_list) + *src_sm_list = sm->next; + if (sm == *src_sm_list_tail) *src_sm_list_tail = sm->prev; - } if (*dst_sm_list == NULL) { *dst_sm_list = sm; diff --git a/src/detect-pcre.h b/src/detect-pcre.h index 4c676445a8..3e574eaa0d 100644 --- a/src/detect-pcre.h +++ b/src/detect-pcre.h @@ -27,13 +27,13 @@ #define DETECT_PCRE_RELATIVE 0x01 #define DETECT_PCRE_RAWBYTES 0x02 #define DETECT_PCRE_URI 0x04 -#define DETECT_PCRE_RELATIVE_NEXT 0x08 #define DETECT_PCRE_CAPTURE_PKT 0x08 #define DETECT_PCRE_CAPTURE_FLOW 0x10 #define DETECT_PCRE_MATCH_LIMIT 0x20 #define DETECT_PCRE_HTTP_BODY_AL 0x40 +#define DETECT_PCRE_RELATIVE_NEXT 0x80 typedef struct DetectPcreData_ { /* pcre options */ diff --git a/src/detect-within.c b/src/detect-within.c index 7c25bddbfb..337a7c7a78 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -100,7 +100,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi DETECT_PCRE, s->pmatch_tail, DETECT_BYTEJUMP, s->pmatch_tail); if (pm1_ots != NULL && pm1_ots->prev != NULL) { - pm2_ots = SigMatchGetLastSMFromLists(s, 2, + pm2_ots = SigMatchGetLastSMFromLists(s, 6, DETECT_CONTENT, pm1_ots->prev, DETECT_PCRE, pm1_ots->prev, DETECT_BYTEJUMP, pm1_ots->prev); @@ -248,7 +248,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi pm = SigMatchGetLastSMFromLists(s, 6, DETECT_CONTENT, pm->prev, DETECT_PCRE, pm->prev, - DETECT_BYTEJUMP, s->pmatch_tail); + DETECT_BYTEJUMP, pm->prev); DetectPcreData *pe = NULL; if (pm == NULL) { @@ -286,6 +286,12 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi break; + case DETECT_BYTEJUMP: + SCLogDebug("No setting relative_next for bytejump. We " + "have no use for it"); + + break; + default: /* this will never hit */ SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown previous-"