|
|
|
|
@ -5249,159 +5249,6 @@ libhtp:\n\
|
|
|
|
|
PASS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test Test that a signature containting a http_server_body is correctly parsed
|
|
|
|
|
* and the keyword is registered.
|
|
|
|
|
*/
|
|
|
|
|
static int DetectHttpServerBodyTest01(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
SigMatch *sm = NULL;
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing http_server_body\"; "
|
|
|
|
|
"content:\"one\"; http_server_body; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* sm should not be in the MATCH list */
|
|
|
|
|
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_MATCH];
|
|
|
|
|
if (sm != NULL) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sm = de_ctx->sig_list->sm_lists[g_file_data_buffer_id];
|
|
|
|
|
if (sm == NULL) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (sm->type != DETECT_CONTENT) {
|
|
|
|
|
printf("sm type not DETECT_AL_HTTP_SERVER_BODY: ");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (sm->next != NULL) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
end:
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test Test that a signature containing an valid http_server_body entry is
|
|
|
|
|
* parsed.
|
|
|
|
|
*/
|
|
|
|
|
static int DetectHttpServerBodyTest02(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing http_server_body\"; "
|
|
|
|
|
"content:\"one\"; http_server_body:; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list != NULL)
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test Test that an invalid signature containing no content but a http_server_body
|
|
|
|
|
* is invalidated.
|
|
|
|
|
*/
|
|
|
|
|
static int DetectHttpServerBodyTest03(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing http_server_body\"; "
|
|
|
|
|
"http_server_body; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test Test that an invalid signature containing a rawbytes along with a
|
|
|
|
|
* http_server_body is invalidated.
|
|
|
|
|
*/
|
|
|
|
|
static int DetectHttpServerBodyTest04(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing http_server_body\"; "
|
|
|
|
|
"content:\"one\"; rawbytes; http_server_body; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL)
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test Test that an invalid signature containing a rawbytes along with a
|
|
|
|
|
* http_server_body is invalidated.
|
|
|
|
|
*/
|
|
|
|
|
static int DetectHttpServerBodyTest05(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing http_server_body\"; "
|
|
|
|
|
"content:\"one\"; http_server_body; nocase; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list != NULL)
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
*\test Test that the http_server_body content matches against a http request
|
|
|
|
|
* which holds the content.
|
|
|
|
|
@ -6746,671 +6593,6 @@ end:
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpServerBodyTest22(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(content:\"one\"; content:\"two\"; http_server_body; "
|
|
|
|
|
"content:\"three\"; distance:10; http_server_body; content:\"four\"; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectContentData *cd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
|
|
|
|
|
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
|
|
|
|
|
if (cd1->flags != 0 || memcmp(cd1->content, "one", cd1->content_len) != 0 ||
|
|
|
|
|
cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
|
|
|
|
|
hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
|
|
|
|
|
memcmp(hsbd1->content, "two", hsbd1->content_len) != 0 ||
|
|
|
|
|
hsbd2->flags != DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
memcmp(hsbd2->content, "three", hsbd1->content_len) != 0) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!DETECT_CONTENT_IS_SINGLE(cd1) ||
|
|
|
|
|
!DETECT_CONTENT_IS_SINGLE(cd2) ||
|
|
|
|
|
DETECT_CONTENT_IS_SINGLE(hsbd1) ||
|
|
|
|
|
DETECT_CONTENT_IS_SINGLE(hsbd2)) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpServerBodyTest23(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(content:\"one\"; http_server_body; pcre:/two/; "
|
|
|
|
|
"content:\"three\"; distance:10; http_server_body; content:\"four\"; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
|
|
|
|
|
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
|
|
|
|
|
if (pd1->flags != 0 ||
|
|
|
|
|
cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
|
|
|
|
|
hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
|
|
|
|
|
memcmp(hsbd1->content, "one", hsbd1->content_len) != 0 ||
|
|
|
|
|
hsbd2->flags != DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
memcmp(hsbd2->content, "three", hsbd1->content_len) != 0) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!DETECT_CONTENT_IS_SINGLE(cd2) ||
|
|
|
|
|
DETECT_CONTENT_IS_SINGLE(hsbd1) ||
|
|
|
|
|
DETECT_CONTENT_IS_SINGLE(hsbd2)) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpServerBodyTest24(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(content:\"one\"; http_server_body; pcre:/two/; "
|
|
|
|
|
"content:\"three\"; distance:10; within:15; http_server_body; content:\"four\"; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
|
|
|
|
|
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
|
|
|
|
|
if (pd1->flags != 0 ||
|
|
|
|
|
cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
|
|
|
|
|
hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
|
|
|
|
|
memcmp(hsbd1->content, "one", hsbd1->content_len) != 0 ||
|
|
|
|
|
hsbd2->flags != (DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN) ||
|
|
|
|
|
memcmp(hsbd2->content, "three", hsbd1->content_len) != 0) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!DETECT_CONTENT_IS_SINGLE(cd2) ||
|
|
|
|
|
DETECT_CONTENT_IS_SINGLE(hsbd1) ||
|
|
|
|
|
DETECT_CONTENT_IS_SINGLE(hsbd2)) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpServerBodyTest25(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(content:\"one\"; http_server_body; pcre:/two/; "
|
|
|
|
|
"content:\"three\"; distance:10; http_server_body; "
|
|
|
|
|
"content:\"four\"; distance:10; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
|
|
|
|
|
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
|
|
|
|
|
if (pd1->flags != DETECT_PCRE_RELATIVE_NEXT ||
|
|
|
|
|
cd2->flags != DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
|
|
|
|
|
hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
|
|
|
|
|
memcmp(hsbd1->content, "one", hsbd1->content_len) != 0 ||
|
|
|
|
|
hsbd2->flags != DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
memcmp(hsbd2->content, "three", hsbd1->content_len) != 0) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (DETECT_CONTENT_IS_SINGLE(cd2) ||
|
|
|
|
|
DETECT_CONTENT_IS_SINGLE(hsbd1) ||
|
|
|
|
|
DETECT_CONTENT_IS_SINGLE(hsbd2)) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpServerBodyTest26(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(content:\"one\"; offset:10; http_server_body; pcre:/two/; "
|
|
|
|
|
"content:\"three\"; distance:10; http_server_body; within:10; "
|
|
|
|
|
"content:\"four\"; distance:10; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
|
|
|
|
|
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
|
|
|
|
|
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
|
|
|
|
|
cd2->flags != DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
|
|
|
|
|
hsbd1->flags != (DETECT_CONTENT_RELATIVE_NEXT | DETECT_CONTENT_OFFSET) ||
|
|
|
|
|
memcmp(hsbd1->content, "one", hsbd1->content_len) != 0 ||
|
|
|
|
|
hsbd2->flags != (DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN) ||
|
|
|
|
|
memcmp(hsbd2->content, "three", hsbd1->content_len) != 0) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (DETECT_CONTENT_IS_SINGLE(cd2) ||
|
|
|
|
|
DETECT_CONTENT_IS_SINGLE(hsbd1) ||
|
|
|
|
|
DETECT_CONTENT_IS_SINGLE(hsbd2)) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \test invalid combination for content: distance, depth, http_server_body */
|
|
|
|
|
static int DetectHttpServerBodyTest27(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(content:\"one\"; offset:10; http_server_body; pcre:/two/; distance:10; "
|
|
|
|
|
"content:\"three\"; distance:10; http_server_body; depth:10; "
|
|
|
|
|
"content:\"four\"; distance:10; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list != NULL) {
|
|
|
|
|
printf("de_ctx->sig_list != NULL: ");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpServerBodyTest28(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(content:\"one\"; http_server_body; pcre:/two/; "
|
|
|
|
|
"content:\"three\"; http_server_body; depth:10; "
|
|
|
|
|
"content:\"four\"; distance:10; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->prev->ctx;
|
|
|
|
|
DetectContentData *cd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
|
|
|
|
|
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
|
|
|
|
|
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
|
|
|
|
|
cd2->flags != DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
|
|
|
|
|
hsbd1->flags != 0 ||
|
|
|
|
|
memcmp(hsbd1->content, "one", hsbd1->content_len) != 0 ||
|
|
|
|
|
hsbd2->flags != DETECT_CONTENT_DEPTH ||
|
|
|
|
|
memcmp(hsbd2->content, "three", hsbd1->content_len) != 0) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (DETECT_CONTENT_IS_SINGLE(cd2) ||
|
|
|
|
|
!DETECT_CONTENT_IS_SINGLE(hsbd1) ||
|
|
|
|
|
DETECT_CONTENT_IS_SINGLE(hsbd2)) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpServerBodyTest29(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(content:\"one\"; http_server_body; "
|
|
|
|
|
"content:\"two\"; distance:0; http_server_body; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
|
|
|
|
|
if (hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
|
|
|
|
|
memcmp(hsbd1->content, "one", hsbd1->content_len) != 0 ||
|
|
|
|
|
hsbd2->flags != DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
memcmp(hsbd2->content, "two", hsbd1->content_len) != 0) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpServerBodyTest30(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(content:\"one\"; http_server_body; "
|
|
|
|
|
"content:\"two\"; within:5; http_server_body; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
|
|
|
|
|
if (hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
|
|
|
|
|
memcmp(hsbd1->content, "one", hsbd1->content_len) != 0 ||
|
|
|
|
|
hsbd2->flags != DETECT_CONTENT_WITHIN ||
|
|
|
|
|
memcmp(hsbd2->content, "two", hsbd1->content_len) != 0) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpServerBodyTest31(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(content:\"one\"; within:5; http_server_body; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpServerBodyTest32(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(content:\"one\"; http_server_body; within:5; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpServerBodyTest33(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(content:\"one\"; within:5; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpServerBodyTest34(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
FAIL_IF_NULL(de_ctx);
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(pcre:/one/Q; "
|
|
|
|
|
"content:\"two\"; within:5; http_server_body; sid:1;)");
|
|
|
|
|
FAIL_IF_NULL(de_ctx->sig_list);
|
|
|
|
|
|
|
|
|
|
FAIL_IF_NOT_NULL(de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH]);
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id] == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_CONTENT ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->type != DETECT_PCRE) {
|
|
|
|
|
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
|
|
|
|
|
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
|
|
|
|
|
hsbd2->flags != DETECT_CONTENT_WITHIN ||
|
|
|
|
|
memcmp(hsbd2->content, "two", hsbd2->content_len) != 0) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpServerBodyTest35(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(content:\"two\"; http_server_body; "
|
|
|
|
|
"pcre:/one/QR; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id] == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_PCRE ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->type != DETECT_CONTENT) {
|
|
|
|
|
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectContentData *hsbd1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
|
|
|
|
|
DetectPcreData *pd2 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
|
|
|
|
|
if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
|
|
|
|
|
hsbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
|
|
|
|
|
memcmp(hsbd1->content, "two", hsbd1->content_len) != 0) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectHttpServerBodyTest36(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
|
|
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(pcre:/one/Q; "
|
|
|
|
|
"content:\"two\"; distance:5; http_server_body; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
|
|
|
|
|
printf("de_ctx->sig_list->sm_lists[g_file_data_buffer_id] == NULL\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id] == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_CONTENT ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev == NULL ||
|
|
|
|
|
de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->type != DETECT_PCRE) {
|
|
|
|
|
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectPcreData *pd1 = (DetectPcreData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->prev->ctx;
|
|
|
|
|
DetectContentData *hsbd2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_file_data_buffer_id]->ctx;
|
|
|
|
|
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
|
|
|
|
|
hsbd2->flags != DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
memcmp(hsbd2->content, "two", hsbd2->content_len) != 0) {
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result = 1;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
*\test Test that the http_server_body content matches against a http request
|
|
|
|
|
* which holds the content.
|
|
|
|
|
@ -8723,11 +7905,6 @@ void DetectHttpServerBodyRegisterTests(void)
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyParserTest01", DetectHttpServerBodyParserTest01);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyParserTest02", DetectHttpServerBodyParserTest02);
|
|
|
|
|
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest01", DetectHttpServerBodyTest01);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest02", DetectHttpServerBodyTest02);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest03", DetectHttpServerBodyTest03);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest04", DetectHttpServerBodyTest04);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest05", DetectHttpServerBodyTest05);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest06", DetectHttpServerBodyTest06);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest07", DetectHttpServerBodyTest07);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest08", DetectHttpServerBodyTest08);
|
|
|
|
|
@ -8738,21 +7915,6 @@ void DetectHttpServerBodyRegisterTests(void)
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest13", DetectHttpServerBodyTest13);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest14", DetectHttpServerBodyTest14);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest15", DetectHttpServerBodyTest15);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest22", DetectHttpServerBodyTest22);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest23", DetectHttpServerBodyTest23);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest24", DetectHttpServerBodyTest24);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest25", DetectHttpServerBodyTest25);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest26", DetectHttpServerBodyTest26);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest27", DetectHttpServerBodyTest27);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest28", DetectHttpServerBodyTest28);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest29", DetectHttpServerBodyTest29);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest30", DetectHttpServerBodyTest30);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest31", DetectHttpServerBodyTest31);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest32", DetectHttpServerBodyTest32);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest33", DetectHttpServerBodyTest33);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest34", DetectHttpServerBodyTest34);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest35", DetectHttpServerBodyTest35);
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyTest36", DetectHttpServerBodyTest36);
|
|
|
|
|
|
|
|
|
|
UtRegisterTest("DetectHttpServerBodyFileDataTest01",
|
|
|
|
|
DetectHttpServerBodyFileDataTest01);
|
|
|
|
|
|
Victor Julien
3 years ago