|
|
|
|
@ -1555,79 +1555,6 @@ static int DetectContentParseTest19(void)
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
result &= (data->within == 10);
|
|
|
|
|
/*
|
|
|
|
|
s->next = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing dce iface, stub_data with contents & offset, depth\"; "
|
|
|
|
|
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
|
|
|
|
|
"dce_stub_data; "
|
|
|
|
|
"content:\"one\"; offset:5; depth:9; "
|
|
|
|
|
"content:\"two\"; within:10; sid:1;)");
|
|
|
|
|
if (s->next == NULL) {
|
|
|
|
|
printf ("failed dce iface, stub_data with contents & offset, depth");
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
s = s->next;
|
|
|
|
|
if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
|
|
|
|
|
result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
|
|
|
|
|
data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
|
|
|
|
|
if (data->flags & DETECT_CONTENT_RAWBYTES ||
|
|
|
|
|
data->flags & DETECT_CONTENT_NOCASE ||
|
|
|
|
|
data->flags & DETECT_CONTENT_WITHIN ||
|
|
|
|
|
data->flags & DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
data->flags & DETECT_CONTENT_FAST_PATTERN ||
|
|
|
|
|
data->flags & DETECT_CONTENT_NEGATED ||
|
|
|
|
|
result == 0) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
result &= (data->offset == 5 && data->depth == 9);
|
|
|
|
|
data = (DetectContentData *)s->sm_lists[g_dce_stub_data_buffer_id]->ctx;
|
|
|
|
|
if (data->flags & DETECT_CONTENT_RAWBYTES ||
|
|
|
|
|
data->flags & DETECT_CONTENT_NOCASE ||
|
|
|
|
|
!(data->flags & DETECT_CONTENT_WITHIN) ||
|
|
|
|
|
data->flags & DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
data->flags & DETECT_CONTENT_FAST_PATTERN ||
|
|
|
|
|
data->flags & DETECT_CONTENT_NEGATED ||
|
|
|
|
|
result == 0) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
s->next = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing dce iface, stub with contents, distance\"; "
|
|
|
|
|
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
|
|
|
|
|
"dce_stub_data; "
|
|
|
|
|
"content:\"one\"; distance:0; "
|
|
|
|
|
"content:\"two\"; distance:2; sid:1;)");
|
|
|
|
|
if (s->next == NULL) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
s = s->next;
|
|
|
|
|
if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
|
|
|
|
|
result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
|
|
|
|
|
data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
|
|
|
|
|
if (data->flags & DETECT_CONTENT_RAWBYTES ||
|
|
|
|
|
data->flags & DETECT_CONTENT_NOCASE ||
|
|
|
|
|
data->flags & DETECT_CONTENT_WITHIN ||
|
|
|
|
|
!(data->flags & DETECT_CONTENT_DISTANCE) ||
|
|
|
|
|
data->flags & DETECT_CONTENT_FAST_PATTERN ||
|
|
|
|
|
data->flags & DETECT_CONTENT_NEGATED ||
|
|
|
|
|
result == 0) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
result &= (data->distance == 2);
|
|
|
|
|
*/
|
|
|
|
|
s->next = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing dce iface, stub with contents, distance, within\"; "
|
|
|
|
|
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
|
|
|
|
|
@ -1657,97 +1584,6 @@ static int DetectContentParseTest19(void)
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
result &= (data->within == 10 && data->distance == 2);
|
|
|
|
|
/*
|
|
|
|
|
s->next = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing dce iface, stub_data with content, offset\"; "
|
|
|
|
|
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
|
|
|
|
|
"dce_stub_data; "
|
|
|
|
|
"content:\"one\"; offset:10; sid:1;)");
|
|
|
|
|
if (s->next == NULL) {
|
|
|
|
|
printf ("Failed dce iface, stub_data with content, offset ");
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
s = s->next;
|
|
|
|
|
if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
|
|
|
|
|
result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
|
|
|
|
|
data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
|
|
|
|
|
if (data->flags & DETECT_CONTENT_RAWBYTES ||
|
|
|
|
|
data->flags & DETECT_CONTENT_NOCASE ||
|
|
|
|
|
data->flags & DETECT_CONTENT_WITHIN ||
|
|
|
|
|
data->flags & DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
data->flags & DETECT_CONTENT_FAST_PATTERN ||
|
|
|
|
|
data->flags & DETECT_CONTENT_NEGATED ||
|
|
|
|
|
result == 0) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
result &= (data->offset == 10);
|
|
|
|
|
|
|
|
|
|
s->next = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing dce iface, stub_data with content, depth\"; "
|
|
|
|
|
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
|
|
|
|
|
"dce_stub_data; "
|
|
|
|
|
"content:\"one\"; depth:10; sid:1;)");
|
|
|
|
|
if (s->next == NULL) {
|
|
|
|
|
printf ("failed dce iface, stub_data with content, depth");
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
s = s->next;
|
|
|
|
|
if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
|
|
|
|
|
result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
|
|
|
|
|
data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
|
|
|
|
|
if (data->flags & DETECT_CONTENT_RAWBYTES ||
|
|
|
|
|
data->flags & DETECT_CONTENT_NOCASE ||
|
|
|
|
|
data->flags & DETECT_CONTENT_WITHIN ||
|
|
|
|
|
data->flags & DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
data->flags & DETECT_CONTENT_FAST_PATTERN ||
|
|
|
|
|
data->flags & DETECT_CONTENT_NEGATED ||
|
|
|
|
|
result == 0) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
result &= (data->depth == 10);
|
|
|
|
|
|
|
|
|
|
s->next = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing dce iface, stub_data with content, offset, depth\"; "
|
|
|
|
|
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
|
|
|
|
|
"dce_stub_data; "
|
|
|
|
|
"content:\"one\"; offset:10; depth:3; sid:1;)");
|
|
|
|
|
if (s->next == NULL) {
|
|
|
|
|
printf("failed dce iface, stub_data with content, offset, depth");
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
s = s->next;
|
|
|
|
|
if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
|
|
|
|
|
result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
|
|
|
|
|
data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
|
|
|
|
|
if (data->flags & DETECT_CONTENT_RAWBYTES ||
|
|
|
|
|
data->flags & DETECT_CONTENT_NOCASE ||
|
|
|
|
|
data->flags & DETECT_CONTENT_WITHIN ||
|
|
|
|
|
data->flags & DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
data->flags & DETECT_CONTENT_FAST_PATTERN ||
|
|
|
|
|
data->flags & DETECT_CONTENT_NEGATED ||
|
|
|
|
|
result == 0) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
result &= (data->offset == 10 && data->depth == 13);
|
|
|
|
|
*/
|
|
|
|
|
s->next = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing content\"; "
|
|
|
|
|
"content:\"one\"; sid:1;)");
|
|
|
|
|
|
Victor Julien
2 years ago