From d0c5f51293d88d123f99dbc4f20ece5cbc77e870 Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Mon, 19 Aug 2013 20:52:17 +0530 Subject: [PATCH] Update rule engine relationship with regard to setting ip protocol between specifying protocol after action, ip_proto and app-layer-protocol. Now we can specify alproto, ip_proto combinations this way alert dns (ip_proto:[tcp/udp];) alert ip (app-layer-protocol:dns;) alert ip (app-layer-protocol:dns; ip_proto:tcp;) alert tcp (app-layer-protocol:dns:) so on. Neater than using dnstcp/dnsudp. This is related to feature #424. --- src/app-layer-dns-tcp.c | 4 +- src/app-layer-dns-udp.c | 8 +- src/detect-app-layer-protocol.c | 14 +- src/detect-dns-query.c | 1 + src/detect-ipproto.c | 409 ++++++++++++++++++++++++++++++++ src/detect-parse.c | 127 +++++----- src/detect.h | 1 + 7 files changed, 499 insertions(+), 65 deletions(-) diff --git a/src/app-layer-dns-tcp.c b/src/app-layer-dns-tcp.c index da96641f27..522dbb5b0f 100644 --- a/src/app-layer-dns-tcp.c +++ b/src/app-layer-dns-tcp.c @@ -584,12 +584,12 @@ void RegisterDNSTCPParsers(void) { IPPROTO_TCP, "53", proto_name, - ALPROTO_DNS_TCP, + ALPROTO_DNS, 0, sizeof(DNSTcpHeader), STREAM_TOSERVER, DNSTcpProbingParser); } else { - AppLayerParseProbingParserPorts(proto_name, ALPROTO_DNS_TCP, + AppLayerParseProbingParserPorts(proto_name, ALPROTO_DNS, 0, sizeof(DNSTcpHeader), DNSTcpProbingParser); } diff --git a/src/app-layer-dns-udp.c b/src/app-layer-dns-udp.c index cde5c8aa5f..71d552f77a 100644 --- a/src/app-layer-dns-udp.c +++ b/src/app-layer-dns-udp.c @@ -304,14 +304,14 @@ void RegisterDNSUDPParsers(void) { IPPROTO_UDP, "53", proto_name, - ALPROTO_DNS_UDP, + ALPROTO_DNS, 0, sizeof(DNSHeader), STREAM_TOSERVER, DNSUdpProbingParser); } else { - AppLayerParseProbingParserPorts(proto_name, ALPROTO_DNS_UDP, - 0, sizeof(DNSHeader), - DNSUdpProbingParser); + AppLayerParseProbingParserPorts(proto_name, ALPROTO_DNS, + 0, sizeof(DNSHeader), + DNSUdpProbingParser); } } else { SCLogInfo("Protocol detection and parser disabled for %s protocol.", diff --git a/src/detect-app-layer-protocol.c b/src/detect-app-layer-protocol.c index 2a604f9a87..a2229c967d 100644 --- a/src/detect-app-layer-protocol.c +++ b/src/detect-app-layer-protocol.c @@ -71,11 +71,15 @@ static DetectAppLayerProtocolData *DetectAppLayerProtocolParse(const char *arg) while (*arg != '\0' && isspace((unsigned char)*arg)) arg++; - alproto = AppLayerGetProtoByName(arg); - if (alproto == ALPROTO_UNKNOWN) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-protocol " - "keyword supplied with unknown protocol \"%s\"", arg); - return NULL; + if (strcasecmp(arg, "dns") == 0) { + alproto = ALPROTO_DNS; + } else { + alproto = AppLayerGetProtoByName(arg); + if (alproto == ALPROTO_UNKNOWN) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-protocol " + "keyword supplied with unknown protocol \"%s\"", arg); + return NULL; + } } data = SCMalloc(sizeof(DetectAppLayerProtocolData)); diff --git a/src/detect-dns-query.c b/src/detect-dns-query.c index 4a1af274c5..4275fa68ac 100644 --- a/src/detect-dns-query.c +++ b/src/detect-dns-query.c @@ -90,6 +90,7 @@ void DetectDnsQueryRegister (void) { static int DetectDnsQuerySetup(DetectEngineCtx *de_ctx, Signature *s, char *str) { s->list = DETECT_SM_LIST_DNSQUERY_MATCH; + s->alproto = ALPROTO_DNS; return 0; } diff --git a/src/detect-ipproto.c b/src/detect-ipproto.c index 89e25ca933..f03b71b2c7 100644 --- a/src/detect-ipproto.c +++ b/src/detect-ipproto.c @@ -240,6 +240,21 @@ static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, char *optst if (s->proto.flags & (DETECT_PROTO_ANY | DETECT_PROTO_IPV6 | DETECT_PROTO_IPV4)) { s->proto.flags &= ~DETECT_PROTO_ANY; memset(s->proto.proto, 0x00, sizeof(s->proto.proto)); + s->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + } else { + /* The ipproto engine has a relationship with the protocol that is + * set after the action and also the app protocol(that can also be + * set through the app-layer-protocol. + * An ip_proto keyword can be used only with alert ip, which if + * not true we error out on the sig. And hence the init_flag to + * indicate this. */ + if (!(s->init_flags & SIG_FLAG_INIT_FIRST_IPPROTO_SEEN)) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature can use " + "ip_proto keyword only when we use alert ip, " + "in which case the _ANY flag is set on the sig " + "and the if condition should match."); + goto error; + } } int eq_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_EQ); @@ -621,6 +636,8 @@ static int DetectIPProtoTestSetup01(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; DetectIPProtoSetup(NULL, sig, value_str); for (i = 0; i < (value / 8); i++) { if (sig->proto.proto[i] != 0) @@ -659,6 +676,8 @@ static int DetectIPProtoTestSetup02(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; DetectIPProtoSetup(NULL, sig, value_str); for (i = 0; i < (value / 8); i++) { if (sig->proto.proto[i] != 0) @@ -694,6 +713,8 @@ static int DetectIPProtoTestSetup03(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; DetectIPProtoSetup(NULL, sig, value_str); for (i = 0; i < (value / 8); i++) { if (sig->proto.proto[i] != 0xFF) @@ -728,6 +749,8 @@ static int DetectIPProtoTestSetup04(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; DetectIPProtoSetup(NULL, sig, value_str); for (i = 0; i < (value / 8); i++) { if (sig->proto.proto[i] != 0) @@ -762,6 +785,8 @@ static int DetectIPProtoTestSetup05(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; DetectIPProtoSetup(NULL, sig, value_str); for (i = 0; i < (value / 8); i++) { if (sig->proto.proto[i] != 0xFF) @@ -795,6 +820,8 @@ static int DetectIPProtoTestSetup06(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) @@ -820,6 +847,8 @@ static int DetectIPProtoTestSetup07(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) @@ -845,6 +874,8 @@ static int DetectIPProtoTestSetup08(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) @@ -870,6 +901,8 @@ static int DetectIPProtoTestSetup09(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) @@ -895,6 +928,8 @@ static int DetectIPProtoTestSetup10(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) @@ -920,6 +955,8 @@ static int DetectIPProtoTestSetup11(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) @@ -945,6 +982,8 @@ static int DetectIPProtoTestSetup12(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) @@ -970,6 +1009,8 @@ static int DetectIPProtoTestSetup13(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) @@ -992,6 +1033,8 @@ static int DetectIPProtoTestSetup14(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) @@ -1016,6 +1059,8 @@ static int DetectIPProtoTestSetup15(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { @@ -1050,6 +1095,8 @@ static int DetectIPProtoTestSetup15(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -1093,6 +1140,8 @@ static int DetectIPProtoTestSetup16(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; for (i = 0; i < (value2 / 8); i++) { @@ -1127,6 +1176,8 @@ static int DetectIPProtoTestSetup16(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -1170,6 +1221,8 @@ static int DetectIPProtoTestSetup17(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { @@ -1204,6 +1257,8 @@ static int DetectIPProtoTestSetup17(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -1243,6 +1298,8 @@ static int DetectIPProtoTestSetup18(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; for (i = 0; i < (value2 / 8); i++) { @@ -1277,6 +1334,8 @@ static int DetectIPProtoTestSetup18(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -1317,6 +1376,8 @@ static int DetectIPProtoTestSetup19(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -1354,6 +1415,8 @@ static int DetectIPProtoTestSetup19(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -1399,6 +1462,8 @@ static int DetectIPProtoTestSetup20(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { @@ -1434,6 +1499,8 @@ static int DetectIPProtoTestSetup20(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -1480,6 +1547,8 @@ static int DetectIPProtoTestSetup21(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -1517,6 +1586,8 @@ static int DetectIPProtoTestSetup21(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -1563,6 +1634,8 @@ static int DetectIPProtoTestSetup22(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -1600,6 +1673,8 @@ static int DetectIPProtoTestSetup22(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -1645,6 +1720,8 @@ static int DetectIPProtoTestSetup23(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; for (i = 0; i < (value3 / 8); i++) { @@ -1680,6 +1757,8 @@ static int DetectIPProtoTestSetup23(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -1726,6 +1805,8 @@ static int DetectIPProtoTestSetup24(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -1763,6 +1844,8 @@ static int DetectIPProtoTestSetup24(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -1809,6 +1892,8 @@ static int DetectIPProtoTestSetup25(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -1846,6 +1931,8 @@ static int DetectIPProtoTestSetup25(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -1891,6 +1978,8 @@ static int DetectIPProtoTestSetup26(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { @@ -1925,6 +2014,8 @@ static int DetectIPProtoTestSetup26(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -1971,6 +2062,8 @@ static int DetectIPProtoTestSetup27(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -2007,6 +2100,8 @@ static int DetectIPProtoTestSetup27(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -2053,6 +2148,8 @@ static int DetectIPProtoTestSetup28(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -2090,6 +2187,8 @@ static int DetectIPProtoTestSetup28(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -2135,6 +2234,8 @@ static int DetectIPProtoTestSetup29(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; for (i = 0; i < (value3 / 8); i++) { @@ -2170,6 +2271,8 @@ static int DetectIPProtoTestSetup29(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -2216,6 +2319,8 @@ static int DetectIPProtoTestSetup30(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -2253,6 +2358,8 @@ static int DetectIPProtoTestSetup30(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -2299,6 +2406,8 @@ static int DetectIPProtoTestSetup31(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -2336,6 +2445,8 @@ static int DetectIPProtoTestSetup31(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -2381,6 +2492,8 @@ static int DetectIPProtoTestSetup32(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { @@ -2416,6 +2529,8 @@ static int DetectIPProtoTestSetup32(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -2462,6 +2577,8 @@ static int DetectIPProtoTestSetup33(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -2499,6 +2616,8 @@ static int DetectIPProtoTestSetup33(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -2546,6 +2665,8 @@ static int DetectIPProtoTestSetup34(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -2583,6 +2704,8 @@ static int DetectIPProtoTestSetup34(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -2610,6 +2733,8 @@ static int DetectIPProtoTestSetup35(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; for (i = 0; i < (value3 / 8); i++) { @@ -2645,6 +2770,8 @@ static int DetectIPProtoTestSetup35(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -2691,6 +2818,8 @@ static int DetectIPProtoTestSetup36(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -2728,6 +2857,8 @@ static int DetectIPProtoTestSetup36(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -2774,6 +2905,8 @@ static int DetectIPProtoTestSetup37(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -2811,6 +2944,8 @@ static int DetectIPProtoTestSetup37(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -2849,6 +2984,8 @@ static int DetectIPProtoTestSetup38(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { @@ -2884,6 +3021,8 @@ static int DetectIPProtoTestSetup38(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -2923,6 +3062,8 @@ static int DetectIPProtoTestSetup39(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -2960,6 +3101,8 @@ static int DetectIPProtoTestSetup39(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -3000,6 +3143,8 @@ static int DetectIPProtoTestSetup40(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -3037,6 +3182,8 @@ static int DetectIPProtoTestSetup40(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -3076,6 +3223,8 @@ static int DetectIPProtoTestSetup41(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; for (i = 0; i < (value3 / 8); i++) { @@ -3111,6 +3260,8 @@ static int DetectIPProtoTestSetup41(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -3151,6 +3302,8 @@ static int DetectIPProtoTestSetup42(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -3188,6 +3341,8 @@ static int DetectIPProtoTestSetup42(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -3228,6 +3383,8 @@ static int DetectIPProtoTestSetup43(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -3269,6 +3426,8 @@ static int DetectIPProtoTestSetup43(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -3318,6 +3477,8 @@ static int DetectIPProtoTestSetup44(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -3356,6 +3517,8 @@ static int DetectIPProtoTestSetup44(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -3406,6 +3569,8 @@ static int DetectIPProtoTestSetup45(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -3447,6 +3612,8 @@ static int DetectIPProtoTestSetup45(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -3495,6 +3662,8 @@ static int DetectIPProtoTestSetup46(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; for (i = 0; i < (value2 / 8); i++) { @@ -3531,6 +3700,8 @@ static int DetectIPProtoTestSetup46(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -3580,6 +3751,8 @@ static int DetectIPProtoTestSetup47(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -3618,6 +3791,8 @@ static int DetectIPProtoTestSetup47(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -3666,6 +3841,8 @@ static int DetectIPProtoTestSetup48(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; for (i = 0; i < (value3 / 8); i++) { @@ -3702,6 +3879,8 @@ static int DetectIPProtoTestSetup48(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -3752,6 +3931,8 @@ static int DetectIPProtoTestSetup49(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -3790,6 +3971,8 @@ static int DetectIPProtoTestSetup49(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -3836,6 +4019,8 @@ static int DetectIPProtoTestSetup50(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -3874,6 +4059,8 @@ static int DetectIPProtoTestSetup50(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -3921,6 +4108,8 @@ static int DetectIPProtoTestSetup51(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -3959,6 +4148,8 @@ static int DetectIPProtoTestSetup51(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -4004,6 +4195,8 @@ static int DetectIPProtoTestSetup52(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; for (i = 0; i < (value2 / 8); i++) { @@ -4040,6 +4233,8 @@ static int DetectIPProtoTestSetup52(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -4086,6 +4281,8 @@ static int DetectIPProtoTestSetup53(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -4124,6 +4321,8 @@ static int DetectIPProtoTestSetup53(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -4169,6 +4368,8 @@ static int DetectIPProtoTestSetup54(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; for (i = 0; i < (value3 / 8); i++) { @@ -4205,6 +4406,8 @@ static int DetectIPProtoTestSetup54(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -4250,6 +4453,8 @@ static int DetectIPProtoTestSetup55(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { @@ -4286,6 +4491,8 @@ static int DetectIPProtoTestSetup55(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -4332,6 +4539,8 @@ static int DetectIPProtoTestSetup56(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -4370,6 +4579,8 @@ static int DetectIPProtoTestSetup56(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -4415,6 +4626,8 @@ static int DetectIPProtoTestSetup57(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; for (i = 0; i < value2 / 8; i++) { @@ -4451,6 +4664,8 @@ static int DetectIPProtoTestSetup57(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -4497,6 +4712,8 @@ static int DetectIPProtoTestSetup58(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -4535,6 +4752,8 @@ static int DetectIPProtoTestSetup58(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -4581,6 +4800,8 @@ static int DetectIPProtoTestSetup59(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -4619,6 +4840,8 @@ static int DetectIPProtoTestSetup59(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -4665,6 +4888,8 @@ static int DetectIPProtoTestSetup60(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -4703,6 +4928,8 @@ static int DetectIPProtoTestSetup60(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -4748,6 +4975,8 @@ static int DetectIPProtoTestSetup61(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { @@ -4784,6 +5013,8 @@ static int DetectIPProtoTestSetup61(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -4833,6 +5064,8 @@ static int DetectIPProtoTestSetup62(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -4871,6 +5104,8 @@ static int DetectIPProtoTestSetup62(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -4919,6 +5154,8 @@ static int DetectIPProtoTestSetup63(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; for (i = 0; i < value2 / 8; i++) { @@ -4955,6 +5192,8 @@ static int DetectIPProtoTestSetup63(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -5005,6 +5244,8 @@ static int DetectIPProtoTestSetup64(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -5046,6 +5287,8 @@ static int DetectIPProtoTestSetup64(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -5095,6 +5338,8 @@ static int DetectIPProtoTestSetup65(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -5133,6 +5378,8 @@ static int DetectIPProtoTestSetup65(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -5183,6 +5430,8 @@ static int DetectIPProtoTestSetup66(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -5224,6 +5473,8 @@ static int DetectIPProtoTestSetup66(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -5273,6 +5524,8 @@ static int DetectIPProtoTestSetup67(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -5316,6 +5569,8 @@ static int DetectIPProtoTestSetup68(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -5359,6 +5614,8 @@ static int DetectIPProtoTestSetup69(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -5395,6 +5652,8 @@ static int DetectIPProtoTestSetup70(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -5431,6 +5690,8 @@ static int DetectIPProtoTestSetup71(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -5467,6 +5728,8 @@ static int DetectIPProtoTestSetup72(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -5503,6 +5766,8 @@ static int DetectIPProtoTestSetup73(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -5546,6 +5811,8 @@ static int DetectIPProtoTestSetup74(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -5588,6 +5855,8 @@ static int DetectIPProtoTestSetup75(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -5623,6 +5892,8 @@ static int DetectIPProtoTestSetup76(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -5658,6 +5929,8 @@ static int DetectIPProtoTestSetup77(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -5693,6 +5966,8 @@ static int DetectIPProtoTestSetup78(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -5729,6 +6004,8 @@ static int DetectIPProtoTestSetup79(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -5764,6 +6041,8 @@ static int DetectIPProtoTestSetup80(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -5799,6 +6078,8 @@ static int DetectIPProtoTestSetup81(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -5835,6 +6116,8 @@ static int DetectIPProtoTestSetup82(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -5871,6 +6154,8 @@ static int DetectIPProtoTestSetup83(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -5907,6 +6192,8 @@ static int DetectIPProtoTestSetup84(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -5943,6 +6230,8 @@ static int DetectIPProtoTestSetup85(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -5979,6 +6268,8 @@ static int DetectIPProtoTestSetup86(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -6016,6 +6307,8 @@ static int DetectIPProtoTestSetup87(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -6062,6 +6355,8 @@ static int DetectIPProtoTestSetup88(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -6108,6 +6403,8 @@ static int DetectIPProtoTestSetup89(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -6154,6 +6451,8 @@ static int DetectIPProtoTestSetup90(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -6200,6 +6499,8 @@ static int DetectIPProtoTestSetup91(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -6246,6 +6547,8 @@ static int DetectIPProtoTestSetup92(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -6292,6 +6595,8 @@ static int DetectIPProtoTestSetup93(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -6335,6 +6640,8 @@ static int DetectIPProtoTestSetup94(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -6378,6 +6685,8 @@ static int DetectIPProtoTestSetup95(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -6421,6 +6730,8 @@ static int DetectIPProtoTestSetup96(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -6464,6 +6775,8 @@ static int DetectIPProtoTestSetup97(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -6507,6 +6820,8 @@ static int DetectIPProtoTestSetup98(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -6551,6 +6866,8 @@ static int DetectIPProtoTestSetup99(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -6595,6 +6912,8 @@ static int DetectIPProtoTestSetup100(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -6639,6 +6958,8 @@ static int DetectIPProtoTestSetup101(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -6683,6 +7004,8 @@ static int DetectIPProtoTestSetup102(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -6727,6 +7050,8 @@ static int DetectIPProtoTestSetup103(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -6771,6 +7096,8 @@ static int DetectIPProtoTestSetup104(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -6815,6 +7142,8 @@ static int DetectIPProtoTestSetup105(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -6862,6 +7191,8 @@ static int DetectIPProtoTestSetup106(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -6909,6 +7240,8 @@ static int DetectIPProtoTestSetup107(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -6956,6 +7289,8 @@ static int DetectIPProtoTestSetup108(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -7003,6 +7338,8 @@ static int DetectIPProtoTestSetup109(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -7050,6 +7387,8 @@ static int DetectIPProtoTestSetup110(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -7096,6 +7435,8 @@ static int DetectIPProtoTestSetup111(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -7142,6 +7483,8 @@ static int DetectIPProtoTestSetup112(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -7188,6 +7531,8 @@ static int DetectIPProtoTestSetup113(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -7234,6 +7579,8 @@ static int DetectIPProtoTestSetup114(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -7280,6 +7627,8 @@ static int DetectIPProtoTestSetup115(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -7326,6 +7675,8 @@ static int DetectIPProtoTestSetup116(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -7372,6 +7723,8 @@ static int DetectIPProtoTestSetup117(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -7418,6 +7771,8 @@ static int DetectIPProtoTestSetup118(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -7464,6 +7819,8 @@ static int DetectIPProtoTestSetup119(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -7510,6 +7867,8 @@ static int DetectIPProtoTestSetup120(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -7556,6 +7915,8 @@ static int DetectIPProtoTestSetup121(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -7602,6 +7963,8 @@ static int DetectIPProtoTestSetup122(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -7648,6 +8011,8 @@ static int DetectIPProtoTestSetup123(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -7694,6 +8059,8 @@ static int DetectIPProtoTestSetup124(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -7740,6 +8107,8 @@ static int DetectIPProtoTestSetup125(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -7786,6 +8155,8 @@ static int DetectIPProtoTestSetup126(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -7832,6 +8203,8 @@ static int DetectIPProtoTestSetup127(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -7878,6 +8251,8 @@ static int DetectIPProtoTestSetup128(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -7922,6 +8297,8 @@ static int DetectIPProtoTestSetup129(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; for (i = 0; i < (value1 / 8); i++) { @@ -7957,6 +8334,8 @@ static int DetectIPProtoTestSetup130(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) == 0) @@ -7992,6 +8371,8 @@ static int DetectIPProtoTestSetup131(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -8027,6 +8408,8 @@ static int DetectIPProtoTestSetup132(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -8062,6 +8445,8 @@ static int DetectIPProtoTestSetup133(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -8098,6 +8483,8 @@ static int DetectIPProtoTestSetup134(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -8140,6 +8527,8 @@ static int DetectIPProtoTestSetup135(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -8202,6 +8591,8 @@ static int DetectIPProtoTestSetup136(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value8_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value7_str) != 0) @@ -8264,6 +8655,8 @@ static int DetectIPProtoTestSetup137(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value5_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value7_str) != 0) @@ -8326,6 +8719,8 @@ static int DetectIPProtoTestSetup138(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value7_str) != 0) @@ -8388,6 +8783,8 @@ static int DetectIPProtoTestSetup139(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value7_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value5_str) != 0) @@ -8450,6 +8847,8 @@ static int DetectIPProtoTestSetup140(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value4_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -8512,6 +8911,8 @@ static int DetectIPProtoTestSetup141(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value6_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) @@ -8574,6 +8975,8 @@ static int DetectIPProtoTestSetup142(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value4_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) @@ -8638,6 +9041,8 @@ static int DetectIPProtoTestSetup143(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) @@ -8706,6 +9111,8 @@ static int DetectIPProtoTestSetup144(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value10_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value9_str) != 0) @@ -8774,6 +9181,8 @@ static int DetectIPProtoTestSetup145(void) if ((sig = SigAlloc()) == NULL) goto end; + sig->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; + sig->proto.flags |= DETECT_PROTO_ANY; if (DetectIPProtoSetup(NULL, sig, value5_str) != 0) goto end; if (DetectIPProtoSetup(NULL, sig, value8_str) != 0) diff --git a/src/detect-parse.c b/src/detect-parse.c index f1dd264ae0..72ba752d8b 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -585,56 +585,33 @@ error: int SigParseProto(Signature *s, const char *protostr) { SCEnter(); + AppLayerProbingParser *pp; + AppLayerProbingParserPort *pp_port; + AppLayerProbingParserElement *pp_pe; + int r = DetectProtoParse(&s->proto, (char *)protostr); if (r < 0) { s->alproto = AppLayerGetProtoByName(protostr); - if (s->alproto != ALPROTO_UNKNOWN) { - /* indicate that the signature is app-layer */ + /* indicate that the signature is app-layer */ + if (s->alproto != ALPROTO_UNKNOWN) s->flags |= SIG_FLAG_APPLAYER; - /* We are going to set ip proto from the - * registered applayer signatures for proto detection */ - AlpProtoSignature *als = alp_proto_ctx.head; - while (als != NULL) { - if (als->proto == s->alproto) { - /* Set the ipproto that this AL proto detection sig needs - * Note that an AL proto can be present in more than one - * IP proto (over TCP, UDP..) */ - s->proto.proto[als->ip_proto / 8] |= 1 << (als->ip_proto % 8); + for (pp = alp_proto_ctx.probing_parsers; pp != NULL; pp = pp->next) { + for (pp_port = pp->port; pp_port != NULL; pp_port = pp_port->next) { + for (pp_pe = pp_port->toserver; pp_pe != NULL; pp_pe = pp_pe->next) { + if (strcasecmp(pp_pe->al_proto_name, protostr) != 0) + continue; + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = pp_pe->al_proto; } - als = als->next; - } - } - - AppLayerProbingParser *pp = alp_proto_ctx.probing_parsers; - while (pp != NULL) { - AppLayerProbingParserPort *pp_port = pp->port; - while (pp_port != NULL) { - AppLayerProbingParserElement *pp_pe = pp_port->toserver; - while (pp_pe != NULL) { - if (strcasecmp(pp_pe->al_proto_name, protostr) == 0) { - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = pp_pe->al_proto; - s->proto.proto[pp->ip_proto / 8] |= 1 << (pp->ip_proto % 8); - } - - pp_pe = pp_pe->next; - } - - pp_pe = pp_port->toclient; - while (pp_pe != NULL) { - if (strcasecmp(pp_pe->al_proto_name, protostr) == 0) { - s->flags |= SIG_FLAG_APPLAYER; - s->alproto = pp_pe->al_proto; - s->proto.proto[pp->ip_proto / 8] |= 1 << (pp->ip_proto % 8); - } - pp_pe = pp_pe->next; + for (pp_pe = pp_port->toclient; pp_pe != NULL; pp_pe = pp_pe->next) { + if (strcasecmp(pp_pe->al_proto_name, protostr) != 0) + continue; + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = pp_pe->al_proto; } - - pp_port = pp_port->next; } - pp = pp->next; } if (s->alproto == ALPROTO_UNKNOWN) { @@ -832,18 +809,14 @@ static int SigParseBasics(Signature *s, char *sigstr, char ***result, uint8_t ad if (IPOnlySigParseAddress(s, arr[CONFIG_DST], SIG_DIREC_DST ^ addrs_direction) < 0) goto error; - - /* For "ip" we parse the ports as well, even though they will be just "any". - * We do this for later sgh building for the tcp and udp protocols. */ - if (DetectProtoContainsProto(&s->proto, IPPROTO_TCP) || - DetectProtoContainsProto(&s->proto, IPPROTO_UDP) || - DetectProtoContainsProto(&s->proto, IPPROTO_SCTP)) - { - if (SigParsePort(s, arr[CONFIG_SP], SIG_DIREC_SRC ^ addrs_direction) < 0) - goto error; - if (SigParsePort(s, arr[CONFIG_DP], SIG_DIREC_DST ^ addrs_direction) < 0) - goto error; - } + /* By AWS - Traditionally we should be doing this only for tcp/udp/sctp, + * but we do it for regardless of ip proto, since the dns/dnstcp/dnsudp + * changes that we made sees to it that at this point of time we don't + * set the ip proto for the sig. We do it a bit later. */ + if (SigParsePort(s, arr[CONFIG_SP], SIG_DIREC_SRC ^ addrs_direction) < 0) + goto error; + if (SigParsePort(s, arr[CONFIG_DP], SIG_DIREC_DST ^ addrs_direction) < 0) + goto error; *result = (char **)arr; return 0; @@ -1368,6 +1341,11 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) { static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr, uint8_t dir) { + AlpProtoSignature *als; + AppLayerProbingParser *pp; + AppLayerProbingParserPort *pp_port; + AppLayerProbingParserElement *pp_pe; + SigMatch *sm; Signature *sig = SigAlloc(); if (sig == NULL) goto error; @@ -1385,7 +1363,48 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr, sig->num = de_ctx->signum; de_ctx->signum++; - SigMatch *sm; + if (sig->alproto != ALPROTO_UNKNOWN) { + int override_needed = 0; + if (sig->proto.flags & DETECT_PROTO_ANY) { + sig->proto.flags &= ~DETECT_PROTO_ANY; + memset(sig->proto.proto, 0x00, sizeof(sig->proto.proto)); + override_needed = 1; + } else { + override_needed = 1; + size_t s = 0; + for (s = 0; s < sizeof(sig->proto.proto); s++) { + if (sig->proto.proto[s] != 0x00) { + override_needed = 0; + break; + } + } + } + + /* at this point if we had alert ip and the ip proto was not + * overridden, we use the ip proto that has been configured + * against the app proto in use. */ + if (override_needed) { + + for (als = alp_proto_ctx.head; als != NULL; als = als->next) { + if (sig->alproto == als->proto) + sig->proto.proto[als->ip_proto / 8] |= 1 << (als->ip_proto % 8); + } + + for (pp = alp_proto_ctx.probing_parsers; pp != NULL; pp = pp->next) { + for (pp_port = pp->port; pp_port != NULL; pp_port = pp_port->next) { + for (pp_pe = pp_port->toserver; pp_pe != NULL; pp_pe = pp_pe->next) { + if (sig->alproto == pp_pe->al_proto) + sig->proto.proto[pp->ip_proto / 8] |= 1 << (pp->ip_proto % 8); + } + for (pp_pe = pp_port->toclient; pp_pe != NULL; pp_pe = pp_pe->next) { + if (sig->alproto == pp_pe->al_proto) + sig->proto.proto[pp->ip_proto / 8] |= 1 << (pp->ip_proto % 8); + } + } + } + } /* if */ + } /* if */ + /* set mpm_content_len */ /* determine the length of the longest pattern in the sig */ diff --git a/src/detect.h b/src/detect.h index f7bae80d18..c081035126 100644 --- a/src/detect.h +++ b/src/detect.h @@ -284,6 +284,7 @@ typedef struct DetectPort_ { #define SIG_FLAG_INIT_FLOW (1<<2) /**< signature has a flow setting */ #define SIG_FLAG_INIT_BIDIREC (1<<3) /**< signature has bidirectional operator */ #define SIG_FLAG_INIT_PAYLOAD (1<<4) /**< signature is inspecting the packet payload */ +#define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN (1 << 5) /** < signature has seen the first ip_proto keyword */ /* signature mask flags */ #define SIG_MASK_REQUIRE_PAYLOAD (1<<0)