aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: set mpm/prefilter during signature parsing

Browse Source 
In preparation of flowbit prefilter work that needs this info
earlier.

Track potential prefilter sm's to avoid unnecessary looping during
setup.
pull/12462/head
Victor Julien 3 years ago committed by Victor Julien
parent 5d9fad5edf
commit d6b56929d3
9 changed files with 162 additions and 212 deletions
Show Stats Download Patch File Download Diff File

84
src/detect-byte-extract.c
Unescape Escape View File

@ -1945,9 +1945,8 @@ static int DetectByteExtractTest43(void)
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
cd->flags != (DETECT_CONTENT_OFFSET_VAR |
DETECT_CONTENT_OFFSET) ||
cd->offset != bed->local_id) {
cd->flags != (DETECT_CONTENT_OFFSET_VAR | DETECT_CONTENT_OFFSET | DETECT_CONTENT_MPM) ||
cd->offset != bed->local_id) {
printf("three failed\n");
result = 0;
goto end;
@ -2049,9 +2048,8 @@ static int DetectByteExtractTest44(void)
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
cd->flags != (DETECT_CONTENT_OFFSET_VAR |
DETECT_CONTENT_OFFSET) ||
cd->offset != bed1->local_id) {
cd->flags != (DETECT_CONTENT_OFFSET_VAR | DETECT_CONTENT_OFFSET | DETECT_CONTENT_MPM) ||
cd->offset != bed1->local_id) {
printf("four failed\n");
result = 0;
goto end;
@ -2158,10 +2156,8 @@ static int DetectByteExtractTest45(void)
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
cd->flags != (DETECT_CONTENT_DEPTH_VAR |
DETECT_CONTENT_DEPTH) ||
cd->depth != bed->local_id ||
cd->offset != 0) {
cd->flags != (DETECT_CONTENT_DEPTH_VAR | DETECT_CONTENT_DEPTH | DETECT_CONTENT_MPM) ||
cd->depth != bed->local_id || cd->offset != 0) {
printf("three failed\n");
result = 0;
goto end;
@ -2263,9 +2259,8 @@ static int DetectByteExtractTest46(void)
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
cd->flags != (DETECT_CONTENT_DEPTH_VAR |
DETECT_CONTENT_DEPTH) ||
cd->depth != bed1->local_id) {
cd->flags != (DETECT_CONTENT_DEPTH_VAR | DETECT_CONTENT_DEPTH | DETECT_CONTENT_MPM) ||
cd->depth != bed1->local_id) {
printf("four failed\n");
result = 0;
goto end;
@ -2372,11 +2367,9 @@ static int DetectByteExtractTest47(void)
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
DETECT_CONTENT_DISTANCE) ||
cd->distance != bed->local_id ||
cd->offset != 0 ||
cd->depth != 0) {
cd->flags !=
(DETECT_CONTENT_DISTANCE_VAR | DETECT_CONTENT_DISTANCE | DETECT_CONTENT_MPM) ||
cd->distance != bed->local_id || cd->offset != 0 || cd->depth != 0) {
printf("three failed\n");
result = 0;
goto end;
@ -2478,12 +2471,9 @@ static int DetectByteExtractTest48(void)
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
DETECT_CONTENT_DISTANCE |
DETECT_CONTENT_DISTANCE_NEXT) ||
cd->distance != bed1->local_id ||
cd->depth != 0 ||
cd->offset != 0) {
cd->flags != (DETECT_CONTENT_DISTANCE_VAR | DETECT_CONTENT_DISTANCE |
DETECT_CONTENT_DISTANCE_NEXT | DETECT_CONTENT_MPM) ||
cd->distance != bed1->local_id || cd->depth != 0 || cd->offset != 0) {
printf("four failed\n");
result = 0;
goto end;
@ -2592,12 +2582,8 @@ static int DetectByteExtractTest49(void)
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
cd->flags != (DETECT_CONTENT_WITHIN_VAR |
DETECT_CONTENT_WITHIN) ||
cd->within != bed->local_id ||
cd->offset != 0 ||
cd->depth != 0 ||
cd->distance != 0) {
cd->flags != (DETECT_CONTENT_WITHIN_VAR | DETECT_CONTENT_WITHIN | DETECT_CONTENT_MPM) ||
cd->within != bed->local_id || cd->offset != 0 || cd->depth != 0 || cd->distance != 0) {
printf("three failed\n");
result = 0;
goto end;
@ -2699,13 +2685,10 @@ static int DetectByteExtractTest50(void)
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
cd->flags != (DETECT_CONTENT_WITHIN_VAR |
DETECT_CONTENT_WITHIN|
DETECT_CONTENT_WITHIN_NEXT) ||
cd->within != bed1->local_id ||
cd->depth != 0 ||
cd->offset != 0 ||
cd->distance != 0) {
cd->flags != (DETECT_CONTENT_WITHIN_VAR | DETECT_CONTENT_WITHIN |
DETECT_CONTENT_WITHIN_NEXT | DETECT_CONTENT_MPM) ||
cd->within != bed1->local_id || cd->depth != 0 || cd->offset != 0 ||
cd->distance != 0) {
printf("four failed\n");
result = 0;
goto end;
@ -2970,7 +2953,7 @@ static int DetectByteExtractTest53(void)
SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
FAIL_IF(sm->type != DETECT_CONTENT);
DetectContentData *cd = (DetectContentData *)sm->ctx;
FAIL_IF(cd->flags != 0);
FAIL_IF(cd->flags != (DETECT_CONTENT_MPM | DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED));
sm = sm->next;
FAIL_IF_NULL(sm);
@ -3092,11 +3075,8 @@ static int DetectByteExtractTest54(void)
goto end;
}
bjd = (DetectBytejumpData *)sm->ctx;
if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 1) {
printf("four failed\n");
result = 0;
goto end;
}
FAIL_IF(bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR);
FAIL_IF(bjd->offset != 1);
if (sm->next != NULL)
goto end;
@ -3197,12 +3177,10 @@ static int DetectByteExtractTest55(void)
}
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
DETECT_CONTENT_WITHIN_VAR |
DETECT_CONTENT_DISTANCE |
DETECT_CONTENT_WITHIN) ||
cd->within != bed1->local_id ||
cd->distance != bed2->local_id) {
cd->flags !=
(DETECT_CONTENT_DISTANCE_VAR | DETECT_CONTENT_WITHIN_VAR |
DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN | DETECT_CONTENT_MPM) ||
cd->within != bed1->local_id || cd->distance != bed2->local_id) {
printf("four failed: ");
goto end;
}
@ -3829,8 +3807,8 @@ static int DetectByteExtractTest60(void)
goto end;
}
cd = (DetectContentData *)sm->ctx;
if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
strncmp((char *)cd->content, "three", cd->content_len) != 0) {
if (cd->flags != (DETECT_CONTENT_RELATIVE_NEXT | DETECT_CONTENT_MPM) ||
strncmp((char *)cd->content, "three", cd->content_len) != 0) {
printf("one failed\n");
result = 0;
goto end;
@ -3950,8 +3928,8 @@ static int DetectByteExtractTest61(void)
goto end;
}
cd = (DetectContentData *)sm->ctx;
if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
strncmp((char *)cd->content, "three", cd->content_len) != 0) {
if (cd->flags != (DETECT_CONTENT_RELATIVE_NEXT | DETECT_CONTENT_MPM) ||
strncmp((char *)cd->content, "three", cd->content_len) != 0) {
printf("one failed\n");
result = 0;
goto end;

2
src/detect-content.c
Unescape Escape View File

@ -1504,7 +1504,7 @@ static int DetectContentParseTest19(void)
FAIL_IF_NOT(s->init_data->smlists[DETECT_SM_LIST_PMATCH] == NULL);
DetectContentData *data = (DetectContentData *)sm->ctx;
FAIL_IF_NOT(data->flags == DETECT_CONTENT_DISTANCE);
FAIL_IF_NOT(data->flags == (DETECT_CONTENT_DISTANCE | DETECT_CONTENT_MPM));
s = DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any "

34
src/detect-engine-build.c
Unescape Escape View File

@ -1704,7 +1704,6 @@ void SignatureSetType(DetectEngineCtx *de_ctx, Signature *s)
}
}
extern int g_skip_prefilter;
/**
* \brief Preprocess signature, classify ip-only, etc, build sig array
*
@ -1788,39 +1787,6 @@ int SigPrepareStage1(DetectEngineCtx *de_ctx)
RuleSetScore(s);
/* if keyword engines are enabled in the config, handle them here */
if (!g_skip_prefilter && de_ctx->prefilter_setting == DETECT_PREFILTER_AUTO &&
!(s->flags & SIG_FLAG_PREFILTER)) {
int prefilter_list = DETECT_TBLSIZE;
// TODO buffers?
/* get the keyword supporting prefilter with the lowest type */
for (int i = 0; i < DETECT_SM_LIST_MAX; i++) {
for (SigMatch *sm = s->init_data->smlists[i]; sm != NULL; sm = sm->next) {
if (sigmatch_table[sm->type].SupportsPrefilter != NULL) {
if (sigmatch_table[sm->type].SupportsPrefilter(s)) {
prefilter_list = MIN(prefilter_list, sm->type);
}
}
}
}
/* apply that keyword as prefilter */
if (prefilter_list != DETECT_TBLSIZE) {
for (int i = 0; i < DETECT_SM_LIST_MAX; i++) {
for (SigMatch *sm = s->init_data->smlists[i]; sm != NULL; sm = sm->next) {
if (sm->type == prefilter_list) {
s->init_data->prefilter_sm = sm;
s->flags |= SIG_FLAG_PREFILTER;
SCLogConfig("sid %u: prefilter is on \"%s\"", s->id, sigmatch_table[sm->type].name);
break;
}
}
}
}
}
/* run buffer type callbacks if any */
for (int x = 0; x < DETECT_SM_LIST_MAX; x++) {
if (s->init_data->smlists[x])

1
src/detect-engine-loader.c
Unescape Escape View File

@ -167,7 +167,6 @@ static int DetectLoadSigFile(
sig = DetectEngineAppendSig(de_ctx, line);
if (sig != NULL) {
if (rule_engine_analysis_set || fp_engine_analysis_set) {
RetrieveFPForSig(de_ctx, sig);
if (fp_engine_analysis_set) {
EngineAnalysisFP(de_ctx, sig, line);
}

5
src/detect-engine-mpm.c
Unescape Escape View File

@ -2418,12 +2418,7 @@ int DetectSetFastPatternAndItsId(DetectEngineCtx *de_ctx)
{
uint32_t cnt = 0;
for (Signature *s = de_ctx->sig_list; s != NULL; s = s->next) {
if (s->flags & SIG_FLAG_PREFILTER)
continue;
RetrieveFPForSig(de_ctx, s);
if (s->init_data->mpm_sm != NULL) {
s->flags |= SIG_FLAG_PREFILTER;
cnt++;
}
}

4
src/detect-flow.c
Unescape Escape View File

@ -445,14 +445,18 @@ void DetectFlowFree(DetectEngineCtx *de_ctx, void *ptr)
static void
PrefilterPacketFlowMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
{
SCEnter();
const PrefilterPacketHeaderCtx *ctx = pectx;
if (!PrefilterPacketHeaderExtraMatch(ctx, p))
return;
if (FlowMatch(p->flags, p->flowflags, ctx->v1.u16[0], ctx->v1.u16[1])) {
SCLogDebug("match: adding sids");
PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
}
SCReturn;
}
static void

61
src/detect-parse.c
Unescape Escape View File

@ -940,6 +940,9 @@ static int SigParseOptions(DetectEngineCtx *de_ctx, Signature *s, char *optstr,
}
s->init_data->negated = false;
const enum DetectKeywordId idx = SigTableGetIndex(st);
s->init_data->has_possible_prefilter |= de_ctx->sm_types_prefilter[idx];
if (st->flags & SIGMATCH_INFO_DEPRECATED) {
#define URL "https://suricata.io/our-story/deprecation-policy/"
if (st->alternative == 0)
@ -1047,7 +1050,6 @@ static int SigParseOptions(DetectEngineCtx *de_ctx, Signature *s, char *optstr,
/* handle 'silent' error case */
if (setup_ret == -2) {
enum DetectKeywordId idx = SigTableGetIndex(st);
if (de_ctx->sm_types_silent_error[idx] == false) {
de_ctx->sm_types_silent_error[idx] = true;
return -1;
@ -1902,6 +1904,61 @@ SigMatchData* SigMatchList2DataArray(SigMatch *head)
return out;
}
extern int g_skip_prefilter;
static void SigSetupPrefilter(DetectEngineCtx *de_ctx, Signature *s)
{
SCEnter();
if (s->init_data->prefilter_sm != NULL || s->init_data->mpm_sm != NULL) {
SCReturn;
}
SCLogDebug("s %u: set up prefilter/mpm", s->id);
RetrieveFPForSig(de_ctx, s);
if (s->init_data->mpm_sm != NULL) {
s->flags |= SIG_FLAG_PREFILTER;
SCReturn;
}
SCLogDebug("s %u: no mpm; prefilter? de_ctx->prefilter_setting %u "
"s->init_data->has_possible_prefilter %s",
s->id, de_ctx->prefilter_setting, BOOL2STR(s->init_data->has_possible_prefilter));
if (!s->init_data->has_possible_prefilter)
SCReturn;
if (!g_skip_prefilter && de_ctx->prefilter_setting == DETECT_PREFILTER_AUTO &&
!(s->flags & SIG_FLAG_PREFILTER)) {
int prefilter_list = DETECT_TBLSIZE;
/* get the keyword supporting prefilter with the lowest type */
for (int i = 0; i < DETECT_SM_LIST_MAX; i++) {
for (SigMatch *sm = s->init_data->smlists[i]; sm != NULL; sm = sm->next) {
if (sigmatch_table[sm->type].SupportsPrefilter != NULL) {
if (sigmatch_table[sm->type].SupportsPrefilter(s)) {
prefilter_list = MIN(prefilter_list, sm->type);
}
}
}
}
/* apply that keyword as prefilter */
if (prefilter_list != DETECT_TBLSIZE) {
for (int i = 0; i < DETECT_SM_LIST_MAX; i++) {
for (SigMatch *sm = s->init_data->smlists[i]; sm != NULL; sm = sm->next) {
if (sm->type == prefilter_list) {
s->init_data->prefilter_sm = sm;
s->flags |= SIG_FLAG_PREFILTER;
SCLogConfig("sid %u: prefilter is on \"%s\"", s->id,
sigmatch_table[sm->type].name);
break;
}
}
}
}
}
SCReturn;
}
/**
* \internal
* \brief validate a just parsed signature for internal inconsistencies
@ -2244,6 +2301,8 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, const char *sigstr,
DetectEngineBufferRunSetupCallback(de_ctx, sig->init_data->buffers[x].id, sig);
}
SigSetupPrefilter(de_ctx, sig);
/* validate signature, SigValidate will report the error reason */
if (SigValidate(de_ctx, sig) == 0) {
goto error;

3
src/detect.h
Unescape Escape View File

@ -551,6 +551,9 @@ typedef struct SignatureInitData_ {
bool src_contains_negation;
bool dst_contains_negation;
/** see if any of the sigmatches supports an enabled prefilter */
bool has_possible_prefilter;
/* used to hold flags that are used during init */
uint32_t init_flags;
/* coccinelle: SignatureInitData:init_flags:SIG_FLAG_INIT_ */

180
src/tests/detect-http-client-body.c
Unescape Escape View File

@ -2231,7 +2231,7 @@ static int DetectHttpClientBodyTest22(void)
FAIL_IF(memcmp(cd2->content, "four", cd2->content_len) != 0);
FAIL_IF(hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT);
FAIL_IF(memcmp(hcbd1->content, "two", hcbd1->content_len) != 0);
FAIL_IF(hcbd2->flags != DETECT_CONTENT_DISTANCE);
FAIL_IF(hcbd2->flags != (DETECT_CONTENT_DISTANCE | DETECT_CONTENT_MPM));
FAIL_IF(memcmp(hcbd2->content, "three", hcbd1->content_len) != 0);
FAIL_IF(!DETECT_CONTENT_IS_SINGLE(cd1));
@ -2273,7 +2273,7 @@ static int DetectHttpClientBodyTest23(void)
FAIL_IF(memcmp(cd2->content, "four", cd2->content_len) != 0);
FAIL_IF(hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT);
FAIL_IF(memcmp(hcbd1->content, "one", hcbd1->content_len) != 0);
FAIL_IF(hcbd2->flags != DETECT_CONTENT_DISTANCE);
FAIL_IF(hcbd2->flags != (DETECT_CONTENT_DISTANCE | DETECT_CONTENT_MPM));
FAIL_IF(memcmp(hcbd2->content, "three", hcbd1->content_len) != 0);
FAIL_IF(!DETECT_CONTENT_IS_SINGLE(cd2));
FAIL_IF(DETECT_CONTENT_IS_SINGLE(hcbd1));
@ -2285,31 +2285,17 @@ static int DetectHttpClientBodyTest23(void)
static int DetectHttpClientBodyTest24(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
goto end;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
Signature *s = DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_client_body; pcre:/two/; "
"content:\"three\"; distance:10; within:15; "
"http_client_body; content:\"four\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
}
if (de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] == NULL) {
printf("de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] == NULL\n");
goto end;
}
FAIL_IF_NULL(s);
if (DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL) {
printf("DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
goto end;
}
FAIL_IF_NULL(de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH]);
FAIL_IF_NULL(DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id));
DetectPcreData *pd1 =
(DetectPcreData *)de_ctx->sig_list->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]
@ -2322,56 +2308,35 @@ static int DetectHttpClientBodyTest24(void)
->prev->ctx;
DetectContentData *hcbd2 =
(DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
if (pd1->flags != 0 ||
cd2->flags != 0 || memcmp(cd2->content, "four", cd2->content_len) != 0 ||
hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hcbd1->content, "one", hcbd1->content_len) != 0 ||
hcbd2->flags != (DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN) ||
memcmp(hcbd2->content, "three", hcbd1->content_len) != 0) {
goto end;
}
if (!DETECT_CONTENT_IS_SINGLE(cd2) ||
DETECT_CONTENT_IS_SINGLE(hcbd1) ||
DETECT_CONTENT_IS_SINGLE(hcbd2)) {
goto end;
}
FAIL_IF(pd1->flags != 0);
FAIL_IF(cd2->flags != 0);
FAIL_IF(memcmp(cd2->content, "four", cd2->content_len) != 0);
FAIL_IF(hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT);
FAIL_IF(memcmp(hcbd1->content, "one", hcbd1->content_len) != 0);
FAIL_IF(hcbd2->flags != (DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN | DETECT_CONTENT_MPM));
FAIL_IF(memcmp(hcbd2->content, "three", hcbd1->content_len) != 0);
result = 1;
FAIL_IF(!DETECT_CONTENT_IS_SINGLE(cd2));
FAIL_IF(DETECT_CONTENT_IS_SINGLE(hcbd1));
FAIL_IF(DETECT_CONTENT_IS_SINGLE(hcbd2));
end:
DetectEngineCtxFree(de_ctx);
return result;
PASS;
}
static int DetectHttpClientBodyTest25(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
goto end;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
Signature *s =
DetectEngineAppendSig(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; http_client_body; pcre:/two/; "
"content:\"three\"; distance:10; http_client_body; "
"content:\"four\"; distance:10; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
}
if (de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] == NULL) {
printf("de_ctx->sig_list->init_data->smlists[DETECT_SM_LIST_PMATCH] == NULL\n");
goto end;
}
if (DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL) {
printf("DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id) == NULL\n");
goto end;
}
FAIL_IF_NULL(s);
FAIL_IF_NULL(s->init_data->smlists[DETECT_SM_LIST_PMATCH]);
FAIL_IF_NULL(DetectBufferGetFirstSigMatch(s, g_http_client_body_buffer_id));
DetectPcreData *pd1 =
(DetectPcreData *)de_ctx->sig_list->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]
@ -2384,27 +2349,20 @@ static int DetectHttpClientBodyTest25(void)
->prev->ctx;
DetectContentData *hcbd2 =
(DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
if (pd1->flags != DETECT_PCRE_RELATIVE_NEXT ||
cd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hcbd1->content, "one", hcbd1->content_len) != 0 ||
hcbd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(hcbd2->content, "three", hcbd1->content_len) != 0) {
goto end;
}
if (DETECT_CONTENT_IS_SINGLE(cd2) ||
DETECT_CONTENT_IS_SINGLE(hcbd1) ||
DETECT_CONTENT_IS_SINGLE(hcbd2)) {
goto end;
}
FAIL_IF(pd1->flags != DETECT_PCRE_RELATIVE_NEXT);
FAIL_IF(cd2->flags != DETECT_CONTENT_DISTANCE);
FAIL_IF(memcmp(cd2->content, "four", cd2->content_len) != 0);
FAIL_IF(hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT);
FAIL_IF(memcmp(hcbd1->content, "one", hcbd1->content_len) != 0);
FAIL_IF(hcbd2->flags != (DETECT_CONTENT_DISTANCE | DETECT_CONTENT_MPM));
FAIL_IF(memcmp(hcbd2->content, "three", hcbd1->content_len) != 0);
result = 1;
FAIL_IF(DETECT_CONTENT_IS_SINGLE(cd2));
FAIL_IF(DETECT_CONTENT_IS_SINGLE(hcbd1));
FAIL_IF(DETECT_CONTENT_IS_SINGLE(hcbd2));
end:
DetectEngineCtxFree(de_ctx);
return result;
PASS;
}
static int DetectHttpClientBodyTest26(void)
@ -2447,13 +2405,13 @@ static int DetectHttpClientBodyTest26(void)
->prev->ctx;
DetectContentData *hcbd2 =
(DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
cd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
hcbd1->flags != (DETECT_CONTENT_RELATIVE_NEXT | DETECT_CONTENT_OFFSET) ||
memcmp(hcbd1->content, "one", hcbd1->content_len) != 0 ||
hcbd2->flags != (DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN) ||
memcmp(hcbd2->content, "three", hcbd1->content_len) != 0) {
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || cd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
hcbd1->flags != (DETECT_CONTENT_RELATIVE_NEXT | DETECT_CONTENT_OFFSET) ||
memcmp(hcbd1->content, "one", hcbd1->content_len) != 0 ||
hcbd2->flags !=
(DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN | DETECT_CONTENT_MPM) ||
memcmp(hcbd2->content, "three", hcbd1->content_len) != 0) {
printf ("failed: http_client_body incorrect flags");
goto end;
}
@ -2533,13 +2491,11 @@ static int DetectHttpClientBodyTest28(void)
->prev->ctx;
DetectContentData *hcbd2 =
(DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
cd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
hcbd1->flags != 0 ||
memcmp(hcbd1->content, "one", hcbd1->content_len) != 0 ||
hcbd2->flags != DETECT_CONTENT_DEPTH ||
memcmp(hcbd2->content, "three", hcbd1->content_len) != 0) {
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) || cd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(cd2->content, "four", cd2->content_len) != 0 || hcbd1->flags != 0 ||
memcmp(hcbd1->content, "one", hcbd1->content_len) != 0 ||
hcbd2->flags != (DETECT_CONTENT_DEPTH | DETECT_CONTENT_MPM) ||
memcmp(hcbd2->content, "three", hcbd1->content_len) != 0) {
goto end;
}
@ -2589,12 +2545,10 @@ static int DetectHttpClientBodyTest29(void)
->prev->ctx;
DetectContentData *hcbd2 =
(DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
if (hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hcbd1->content, "one", hcbd1->content_len) != 0 ||
hcbd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(hcbd2->content, "two", hcbd1->content_len) != 0) {
goto end;
}
FAIL_IF(hcbd1->flags != (DETECT_CONTENT_RELATIVE_NEXT | DETECT_CONTENT_MPM));
FAIL_IF(memcmp(hcbd1->content, "one", hcbd1->content_len) != 0);
FAIL_IF(hcbd2->flags != DETECT_CONTENT_DISTANCE);
FAIL_IF(memcmp(hcbd2->content, "two", hcbd1->content_len) != 0);
result = 1;
@ -2636,12 +2590,10 @@ static int DetectHttpClientBodyTest30(void)
->prev->ctx;
DetectContentData *hcbd2 =
(DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
if (hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hcbd1->content, "one", hcbd1->content_len) != 0 ||
hcbd2->flags != DETECT_CONTENT_WITHIN ||
memcmp(hcbd2->content, "two", hcbd1->content_len) != 0) {
goto end;
}
FAIL_IF(hcbd1->flags != (DETECT_CONTENT_RELATIVE_NEXT | DETECT_CONTENT_MPM));
FAIL_IF(memcmp(hcbd1->content, "one", hcbd1->content_len) != 0);
FAIL_IF(hcbd2->flags != DETECT_CONTENT_WITHIN);
FAIL_IF(memcmp(hcbd2->content, "two", hcbd1->content_len) != 0);
result = 1;
@ -2754,11 +2706,9 @@ static int DetectHttpClientBodyTest34(void)
->prev->ctx;
DetectContentData *hcbd2 =
(DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hcbd2->flags != DETECT_CONTENT_WITHIN ||
memcmp(hcbd2->content, "two", hcbd2->content_len) != 0) {
goto end;
}
FAIL_IF(pd1->flags != (DETECT_PCRE_RELATIVE_NEXT));
FAIL_IF(hcbd2->flags != (DETECT_CONTENT_WITHIN | DETECT_CONTENT_MPM));
FAIL_IF(memcmp(hcbd2->content, "two", hcbd2->content_len) != 0);
result = 1;
@ -2808,11 +2758,9 @@ static int DetectHttpClientBodyTest35(void)
->prev->ctx;
DetectPcreData *pd2 =
(DetectPcreData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
if (pd2->flags != (DETECT_PCRE_RELATIVE) ||
hcbd1->flags != DETECT_CONTENT_RELATIVE_NEXT ||
memcmp(hcbd1->content, "two", hcbd1->content_len) != 0) {
goto end;
}
FAIL_IF(pd2->flags != (DETECT_PCRE_RELATIVE));
FAIL_IF(hcbd1->flags != (DETECT_CONTENT_RELATIVE_NEXT | DETECT_CONTENT_MPM));
FAIL_IF(memcmp(hcbd1->content, "two", hcbd1->content_len) != 0);
result = 1;
@ -2863,11 +2811,9 @@ static int DetectHttpClientBodyTest36(void)
->prev->ctx;
DetectContentData *hcbd2 =
(DetectContentData *)DetectBufferGetLastSigMatch(s, g_http_client_body_buffer_id)->ctx;
if (pd1->flags != (DETECT_PCRE_RELATIVE_NEXT) ||
hcbd2->flags != DETECT_CONTENT_DISTANCE ||
memcmp(hcbd2->content, "two", hcbd2->content_len) != 0) {
goto end;
}
FAIL_IF(pd1->flags != (DETECT_PCRE_RELATIVE_NEXT));
FAIL_IF(hcbd2->flags != (DETECT_CONTENT_DISTANCE | DETECT_CONTENT_MPM));
FAIL_IF(memcmp(hcbd2->content, "two", hcbd2->content_len) != 0);
result = 1;

Write Preview
Loading…
Cancel
Save