aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update failing unittest to reflect the mpm design update

Browse Source
remotes/origin/master-1.1.x
Anoop Saldanha 14 years ago committed by Victor Julien
parent af51493da2
commit eff08f93d8
19 changed files with 200 additions and 224 deletions
Show Stats Download Patch File Download Diff File

4
src/alert-fastlog.c
Unescape Escape View File

@ -438,7 +438,7 @@ int AlertFastLogTest01()
SCClassConfDeleteDummyClassificationConfigFD();
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"FastLog test\"; content:\"GET\"; "
"(msg:\"FastLog test\"; content:\"GET\"; dsize:>1; "
"Classtype:unknown; sid:1;)");
result = (de_ctx->sig_list != NULL);
@ -494,7 +494,7 @@ int AlertFastLogTest02()
SCClassConfDeleteDummyClassificationConfigFD();
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"FastLog test\"; content:\"GET\"; "
"(msg:\"FastLog test\"; content:\"GET\"; dsize:>1; "
"Classtype:unknown; sid:1;)");
result = (de_ctx->sig_list != NULL);
if (result == 0)

6
src/detect-asn1.c
Unescape Escape View File

@ -1059,12 +1059,12 @@ int DetectAsn1TestReal01(void) {
char *sigs[3];
sigs[0]= "alert ip any any -> any any (msg:\"Testing id 1\"; "
"content:\"Pablo\"; asn1:absolute_offset 0, "
"oversize_length 130; sid:1;)";
"oversize_length 130; dsize:>1; sid:1;)";
sigs[1]= "alert ip any any -> any any (msg:\"Testing id 2\"; "
"content:\"AA\"; asn1:relative_offset 2, "
"oversize_length 130; sid:2;)";
"oversize_length 130; dsize:>1; sid:2;)";
sigs[2]= "alert ip any any -> any any (msg:\"Testing id 3\"; "
"content:\"lalala\"; asn1: oversize_length 2000; sid:3;)";
"content:\"lalala\"; asn1: oversize_length 2000; dsize:>1; sid:3;)";
uint32_t sid[3] = {1, 2, 3};

4
src/detect-bytejump.c
Unescape Escape View File

@ -1113,7 +1113,7 @@ int DetectByteJumpTestPacket01 (void) {
char sig[] = "alert tcp any any -> any any (msg:\"pcre + byte_test + "
"relative\"; pcre:\"/AllWorkAndNoPlayMakesWillADullBoy/\"; byte_jump:1,6,"
"relative,string,dec; content:\"0\"; sid:134; rev:1;)";
"relative,string,dec; content:\"0\"; dsize:>1; sid:134; rev:1;)";
result = UTHPacketMatchSig(p, sig);
@ -1145,7 +1145,7 @@ int DetectByteJumpTestPacket02 (void) {
char sig[] = "alert tcp any any -> any any (msg:\"byte_jump with byte_jump"
" + relative\"; byte_jump:1,13; byte_jump:4,0,relative; "
"content:\"|48 00 00|\"; within:3; sid:144; rev:1;)";
"content:\"|48 00 00|\"; within:3; dsize:>1; sid:144; rev:1;)";
result = UTHPacketMatchSig(p, sig);

4
src/detect-bytetest.c
Unescape Escape View File

@ -1491,7 +1491,7 @@ int DetectByteTestTestPacket04(void)
char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test +"
"relative\"; content:\"GET \"; depth:4; content:\"HTTP/1.\"; "
"byte_test:1,<=,0,0,relative,string,dec; sid:124; rev:1;)";
"byte_test:1,<=,0,0,relative,string,dec; dsize:>1; sid:124; rev:1;)";
result = UTHPacketMatchSig(p, sig);
@ -1521,7 +1521,7 @@ int DetectByteTestTestPacket05(void)
char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test +"
"relative\"; content:\"GET \"; depth:4; content:\"HTTP/1.\"; "
"byte_test:1,>=,0,0,relative,string,dec; sid:125; rev:1;)";
"byte_test:1,>=,0,0,relative,string,dec; dsize:>1; sid:125; rev:1;)";
result = UTHPacketMatchSig(p, sig);

38
src/detect-content.c
Unescape Escape View File

@ -839,7 +839,7 @@ int DetectContentLongPatternMatchTestWrp(char *sig, uint32_t sid) {
int DetectContentLongPatternMatchTest01()
{
char *sig = "alert tcp any any -> any any (msg:\"Nothing..\";"
" content:\"Hi, this is a big test\"; sid:1;)";
" content:\"Hi, this is a big test\"; dsize:>1; sid:1;)";
return DetectContentLongPatternMatchTestWrp(sig, 1);
}
@ -850,7 +850,7 @@ int DetectContentLongPatternMatchTest02()
{
char *sig = "alert tcp any any -> any any (msg:\"Nothing..\";"
" content:\"Hi, this is a big test to check content matches of"
" splitted patterns between multiple chunks!\"; sid:1;)";
" splitted patterns between multiple chunks!\"; dsize:>1; sid:1;)";
return DetectContentLongPatternMatchTestWrp(sig, 1);
}
@ -863,7 +863,7 @@ int DetectContentLongPatternMatchTest03()
/** The last chunk of the content should not match */
char *sig = "alert tcp any any -> any any (msg:\"Nothing..\";"
" content:\"Hi, this is a big test to check content matches of"
" splitted patterns between multiple splitted chunks!\"; sid:1;)";
" splitted patterns between multiple splitted chunks!\"; dsize:>1; sid:1;)";
return (DetectContentLongPatternMatchTestWrp(sig, 1) == 0) ? 1: 0;
}
@ -876,7 +876,7 @@ int DetectContentLongPatternMatchTest04()
" content:\"Hi, this is\"; depth:15 ;content:\"a big test\"; "
" within:15; content:\"to check content matches of\"; "
" within:30; content:\"splitted patterns\"; distance:1; "
" within:30; depth:400;"
" within:30; depth:400; dsize:>1; "
" sid:1;)";
return DetectContentLongPatternMatchTestWrp(sig, 1);
}
@ -896,7 +896,7 @@ int DetectContentLongPatternMatchTest05()
" content:\"of splitted\"; within:37; distance:15; "
" depth:60; isdataat:20,relative; offset: 48; "
" content:\"patterns\"; within:9; distance:1; depth:69; "
" isdataat:10, relative; offset:60; "
" isdataat:10, relative; offset:60; dsize:>1; "
" sid:1;)";
return DetectContentLongPatternMatchTestWrp(sig, 1);
}
@ -914,7 +914,7 @@ int DetectContentLongPatternMatchTest06()
" content:\"of splitted patterns between multiple\"; "
" within:38; distance:1; offset:47; depth:85; "
" content:\"chunks!\"; within: 8; distance:1; "
" depth:94; offset: 50; "
" depth:94; offset: 50; dsize:>1; "
" sid:1;)";
return DetectContentLongPatternMatchTestWrp(sig, 1);
}
@ -929,7 +929,7 @@ int DetectContentLongPatternMatchTest07()
" content:\"chunks!\"; "
" content:\"content matches\"; offset:32; depth:47; "
" content:\"of splitted patterns between multiple\"; "
" content:\"Hi, this is a big\"; offset:0; depth:17; "
" content:\"Hi, this is a big\"; offset:0; depth:17; dsize:>1; "
" sid:1;)";
return DetectContentLongPatternMatchTestWrp(sig, 1);
}
@ -946,7 +946,7 @@ int DetectContentLongPatternMatchTest08()
" within:38; distance:1; offset:47; depth:85; "
" content:\"chunks!\"; within: 8; distance:1; "
" depth:94; offset: 50; "
" content:\"Hi, this is a big test to check cont\"; depth:36;"
" content:\"Hi, this is a big test to check cont\"; depth:36; dsize:>1; "
" sid:1;)";
return DetectContentLongPatternMatchTestWrp(sig, 1);
}
@ -964,7 +964,7 @@ int DetectContentLongPatternMatchTest09()
" content:\"chunks!\"; within: 8; distance:1; "
" depth:94; offset: 50; "
" content:\"Hi, this is a big test to chec\"; depth:36;"
" content:\"k cont\"; distance:0; within:6;"
" content:\"k cont\"; distance:0; within:6; dsize:>1; "
" sid:1;)";
return DetectContentLongPatternMatchTestWrp(sig, 1);
}
@ -976,7 +976,7 @@ int DetectContentLongPatternMatchTest10()
{
char *sig = "alert tcp any any -> any any (msg:\"Nothing..\"; "
" content:\"Hi, this is a big test to check \"; "
" content:\"con\"; "
" content:\"con\"; dsize:>1; "
" sid:1;)";
return DetectContentLongPatternMatchTestWrp(sig, 1);
}
@ -988,7 +988,7 @@ int DetectContentLongPatternMatchTest11()
{
char *sig = "alert tcp any any -> any any (msg:\"Nothing..\"; "
" content:\"H\"; "
" content:\"i\"; "
" content:\"i\"; dsize:>1; "
" sid:1;)";
return DetectContentLongPatternMatchTestWrp(sig, 1);
}
@ -2091,7 +2091,7 @@ static int SigTest47TestNegatedContent(void)
*/
static int SigTest48TestNegatedContent(void)
{
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET\"; content:!\"GES\"; within:26; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET\"; content:!\"GES\"; within:26; dsize:>1; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
}
/**
@ -2109,7 +2109,7 @@ static int SigTest49TestNegatedContent(void)
*/
static int SigTest50TestNegatedContent(void)
{
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET\"; content:!\"GES\"; distance:25; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET\"; content:!\"GES\"; distance:25; dsize:>1; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
}
/**
@ -2166,7 +2166,7 @@ static int SigTest55TestNegatedContent(void)
*/
static int SigTest56TestNegatedContent(void)
{
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:\"fourty\"; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:\"fourty\"; within:56; dsize:>1; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
/**
@ -2252,7 +2252,7 @@ static int SigTest67TestNegatedContent(void)
static int SigTest68TestNegatedContent(void)
{
return SigTestPositiveTestContent("alert tcp any any -> any any (content:\"one\"; depth:10; content:\"nine\"; offset:8; content:!\"fourty\"; within:28; content:\"fiftysix\"; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestPositiveTestContent("alert tcp any any -> any any (content:\"one\"; depth:10; content:\"nine\"; offset:8; content:!\"fourty\"; within:28; content:\"fiftysix\"; dsize:>1; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
static int SigTest69TestNegatedContent(void)
@ -2283,12 +2283,12 @@ static int SigTest73TestNegatedContent(void)
static int SigTest74TestNegatedContent(void)
{
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:!\"PASS\"; sid:1;)", (uint8_t *)"USER apple");
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:!\"PASS\"; dsize:>1; sid:1;)", (uint8_t *)"USER apple");
}
static int SigTest75TestNegatedContent(void)
{
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:\"!PASS\"; sid:1;)", (uint8_t *)"USER !PASS");
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:\"!PASS\"; dsize:>1; sid:1;)", (uint8_t *)"USER !PASS");
}
static int SigTest76TestBug134(void)
@ -2310,7 +2310,7 @@ static int SigTest76TestBug134(void)
char sig[] = "alert tcp any any -> any 515 "
"(msg:\"detect IFS\"; flow:to_server,established; content:\"${IFS}\";"
" depth:50; offset:0; sid:900091; rev:1;)";
" depth:50; offset:0; dsize:>1; sid:900091; rev:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
goto end;
@ -2336,7 +2336,7 @@ static int SigTest77TestBug139(void)
p->dp = 53;
char sig[] = "alert udp any any -> any 53 (msg:\"dns testing\";"
" content:\"|00 00|\"; depth:5; offset:13; sid:9436601;"
" content:\"|00 00|\"; depth:5; offset:13; dsize:>1; sid:9436601;"
" rev:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;

2
src/detect-distance.c
Unescape Escape View File

@ -893,7 +893,7 @@ int DetectDistanceTestPacket01 (void) {
char sig[] = "alert tcp any any -> any any (msg:\"suricata test\"; "
"byte_jump:1,2; content:\"|00|\"; "
"within:1; distance:2; sid:98711212; rev:1;)";
"within:1; distance:2; dsize:>1; sid:98711212; rev:1;)";
p->flowflags = FLOW_PKT_ESTABLISHED | FLOW_PKT_TOCLIENT;
result = UTHPacketMatchSig(p, sig);

10
src/detect-engine-iponly.c
Unescape Escape View File

@ -1789,7 +1789,7 @@ int IPOnlyTestSig05(void) {
sigs[3]= "alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
sigs[4]= "alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
sigs[5]= "alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
sigs[6]= "alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
sigs[6]= "alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\"; dsize:>1; sid:7;)";
/* Sid numbers (we could extract them from the sig) */
uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
@ -1825,7 +1825,7 @@ int IPOnlyTestSig06(void) {
sigs[3]= "alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
sigs[4]= "alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
sigs[5]= "alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
sigs[6]= "alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
sigs[6]= "alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\"; dsize:>1; sid:7;)";
/* Sid numbers (we could extract them from the sig) */
uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
@ -1933,7 +1933,7 @@ int IPOnlyTestSig09(void) {
sigs[3]= "alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:0/96 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
sigs[4]= "alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
sigs[5]= "alert tcp any any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
sigs[6]= "alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
sigs[6]= "alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\"; dsize:>1; sid:7;)";
/* Sid numbers (we could extract them from the sig) */
uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
@ -1969,7 +1969,7 @@ int IPOnlyTestSig10(void) {
sigs[3]= "alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> !3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562/96 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
sigs[4]= "alert tcp !3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
sigs[5]= "alert tcp any any -> !3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
sigs[6]= "alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> 3FFE:FFFF:7654:FEDB:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
sigs[6]= "alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> 3FFE:FFFF:7654:FEDB:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\"; dsize:>1; sid:7;)";
/* Sid numbers (we could extract them from the sig) */
uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
@ -2143,7 +2143,7 @@ int IPOnlyTestSig15(void)
sigs[5]= "alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; "
"flowbits:set,six; sid:6;)";
sigs[6]= "alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; "
"flowbits:set,seven; content:\"Hi all\"; sid:7;)";
"flowbits:set,seven; content:\"Hi all\"; dsize:>1; sid:7;)";
/* Sid numbers (we could extract them from the sig) */
uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};

42
src/detect-engine-payload.c
Unescape Escape View File

@ -539,7 +539,7 @@ static int PayloadTestSig01 (void) {
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (content:\"abc\"; content:\"d\"; distance:0; within:1; sid:1;)";
char sig[] = "alert tcp any any -> any any (content:\"abc\"; content:\"d\"; distance:0; within:1; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
goto end;
@ -560,7 +560,7 @@ static int PayloadTestSig02 (void) {
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (content:\"abc\"; nocase; content:\"d\"; distance:0; within:1; sid:1;)";
char sig[] = "alert tcp any any -> any any (content:\"abc\"; nocase; content:\"d\"; distance:0; within:1; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
goto end;
@ -581,7 +581,7 @@ static int PayloadTestSig03 (void) {
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
char sig[] = "alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
goto end;
@ -606,7 +606,7 @@ static int PayloadTestSig04(void)
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; "
"content:\"string\"; within:8; sid:1;)";
"content:\"string\"; within:8; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
goto end;
@ -631,7 +631,7 @@ static int PayloadTestSig05(void)
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"this\"; content:\"is\"; within:9; content:\"big\"; within:12; "
"content:\"string\"; within:8; sid:1;)";
"content:\"string\"; within:8; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
goto end;
@ -656,7 +656,7 @@ static int PayloadTestSig06(void)
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"now\"; content:\"this\"; content:\"is\"; within:12; content:\"big\"; within:8; "
"content:\"string\"; within:8; sid:1;)";
"content:\"string\"; within:8; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
goto end;
@ -680,7 +680,7 @@ static int PayloadTestSig07(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; sid:1;)";
"content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
@ -706,7 +706,7 @@ static int PayloadTestSig08(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
"content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 1) {
goto end;
@ -730,7 +730,7 @@ static int PayloadTestSig09(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"pcre:/super/; content:\"nova\"; within:7; sid:1;)";
"pcre:/super/; content:\"nova\"; within:7; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
@ -851,7 +851,7 @@ static int PayloadTestSig13(void)
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"aa\"; content:\"aa\"; distance:0; content:\"aa\"; distance:0; "
"byte_test:1,>,200,0,relative; sid:1;)";
"byte_test:1,>,200,0,relative; dsize:>1; sid:1;)";
#include <sys/time.h>
struct timeval tv_start, tv_end, tv_diff;
@ -926,7 +926,7 @@ static int PayloadTestSig14(void)
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
char sig[] = "alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; dsize:>1; sid:1; rev:1;)";
//char sig[] = "alert tcp any any -> any any (content:\"User-Agent: Mozilla/5.0 (Macintosh; \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
@ -949,7 +949,7 @@ static int PayloadTestSig15(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"nova\"; isdataat:18,relative; sid:1;)";
"content:\"nova\"; isdataat:18,relative; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
@ -972,7 +972,7 @@ static int PayloadTestSig16(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"nova\"; isdataat:!20,relative; sid:1;)";
"content:\"nova\"; isdataat:!20,relative; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
@ -996,7 +996,7 @@ static int PayloadTestSig17(void)
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"%\"; depth:4; offset:0; "
"content:\"%\"; within:2; distance:1; sid:1;)";
"content:\"%\"; within:2; distance:1; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
@ -1025,7 +1025,7 @@ static int PayloadTestSig18(void)
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"|01 02 03 04|\"; "
"byte_extract:1,2,one,string,dec,relative; "
"content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
"content:\"|0C 0D 0E 0F|\"; distance:one; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
result = 0;
@ -1054,7 +1054,7 @@ static int PayloadTestSig19(void)
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"|01 02 03 04|\"; "
"byte_extract:1,2,one,string,hex,relative; "
"content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
"content:\"|0C 0D 0E 0F|\"; distance:one; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
result = 0;
@ -1083,7 +1083,7 @@ static int PayloadTestSig20(void)
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"|01 02 03 04|\"; "
"byte_extract:1,2,one,string,dec,relative; "
"content:\"|06 35 07 08|\"; offset:one; sid:1;)";
"content:\"|06 35 07 08|\"; offset:one; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
result = 0;
@ -1112,7 +1112,7 @@ static int PayloadTestSig21(void)
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"|01 02 03 04|\"; "
"byte_extract:1,2,one,string,dec,relative; "
"content:\"|03 04 05 06|\"; depth:one; sid:1;)";
"content:\"|03 04 05 06|\"; depth:one; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
result = 0;
@ -1141,7 +1141,7 @@ static int PayloadTestSig22(void)
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"|01 02 03 04|\"; "
"byte_extract:1,2,one,string,dec,relative; "
"content:\"|09 0A 0B 0C|\"; within:one; sid:1;)";
"content:\"|09 0A 0B 0C|\"; within:one; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
result = 0;
@ -1171,7 +1171,7 @@ static int PayloadTestSig23(void)
"content:\"|01 02 03 04|\"; "
"byte_extract:1,2,one,string,dec,relative; "
"byte_extract:1,3,two,string,dec,relative; "
"byte_test:1,=,one,two,string,dec,relative; sid:1;)";
"byte_test:1,=,one,two,string,dec,relative; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
result = 0;
@ -1201,7 +1201,7 @@ static int PayloadTestSig24(void)
"content:\"|01 02 03 04|\"; "
"byte_extract:1,2,one,string,dec,relative; "
"byte_jump:1,one,string,dec,relative; "
"content:\"|0D 0E 0F|\"; distance:0; sid:1;)";
"content:\"|0D 0E 0F|\"; distance:0; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
result = 0;

38
src/detect-engine-port.c
Unescape Escape View File

@ -2286,7 +2286,7 @@ int PortTestMatchRealWrp(char *sig, uint32_t sid) {
int PortTestMatchReal01()
{
/* tcp.sport=47370 tcp.dport=80 */
char *sig = "alert tcp any any -> any 80 (msg:\"Nothing..\"; content:\"GET\"; sid:1;)";
char *sig = "alert tcp any any -> any 80 (msg:\"Nothing..\"; content:\"GET\"; dsize:>1; sid:1;)";
return PortTestMatchRealWrp(sig, 1);
}
@ -2296,7 +2296,7 @@ int PortTestMatchReal01()
int PortTestMatchReal02()
{
char *sig = "alert tcp any 47370 -> any any (msg:\"Nothing..\";"
" content:\"GET\"; sid:1;)";
" content:\"GET\"; dsize:>1; sid:1;)";
return PortTestMatchRealWrp(sig, 1);
}
@ -2306,7 +2306,7 @@ int PortTestMatchReal02()
int PortTestMatchReal03()
{
char *sig = "alert tcp any 47370 -> any 80 (msg:\"Nothing..\";"
" content:\"GET\"; sid:1;)";
" content:\"GET\"; dsize:>1; sid:1;)";
return PortTestMatchRealWrp(sig, 1);
}
@ -2316,7 +2316,7 @@ int PortTestMatchReal03()
int PortTestMatchReal04()
{
char *sig = "alert tcp any any -> any !80 (msg:\"Nothing..\";"
" content:\"GET\"; sid:1;)";
" content:\"GET\"; dsize:>1; sid:1;)";
return (PortTestMatchRealWrp(sig, 1) == 0)? 1 : 0;
}
@ -2326,7 +2326,7 @@ int PortTestMatchReal04()
int PortTestMatchReal05()
{
char *sig = "alert tcp any !47370 -> any any (msg:\"Nothing..\";"
" content:\"GET\"; sid:1;)";
" content:\"GET\"; dsize:>1; sid:1;)";
return (PortTestMatchRealWrp(sig, 1) == 0)? 1 : 0;
}
@ -2336,7 +2336,7 @@ int PortTestMatchReal05()
int PortTestMatchReal06()
{
char *sig = "alert tcp any !47370 -> any !80 (msg:\"Nothing..\";"
" content:\"GET\"; sid:1;)";
" content:\"GET\"; dsize:>1; sid:1;)";
return (PortTestMatchRealWrp(sig, 1) == 0)? 1 : 0;
}
@ -2346,7 +2346,7 @@ int PortTestMatchReal06()
int PortTestMatchReal07()
{
char *sig = "alert tcp any any -> any 70:100 (msg:\"Nothing..\";"
" content:\"GET\"; sid:1;)";
" content:\"GET\"; dsize:>1; sid:1;)";
return PortTestMatchRealWrp(sig, 1);
}
@ -2356,7 +2356,7 @@ int PortTestMatchReal07()
int PortTestMatchReal08()
{
char *sig = "alert tcp any 47000:50000 -> any any (msg:\"Nothing..\";"
" content:\"GET\"; sid:1;)";
" content:\"GET\"; dsize:>1; sid:1;)";
return PortTestMatchRealWrp(sig, 1);
}
@ -2366,7 +2366,7 @@ int PortTestMatchReal08()
int PortTestMatchReal09()
{
char *sig = "alert tcp any 47000:50000 -> any 70:100 (msg:\"Nothing..\";"
" content:\"GET\"; sid:1;)";
" content:\"GET\"; dsize:>1; sid:1;)";
return PortTestMatchRealWrp(sig, 1);
}
@ -2376,7 +2376,7 @@ int PortTestMatchReal09()
int PortTestMatchReal10()
{
char *sig = "alert tcp any any -> any !70:100 (msg:\"Nothing..\";"
" content:\"GET\"; sid:1;)";
" content:\"GET\"; dsize:>1; sid:1;)";
return (PortTestMatchRealWrp(sig, 1) == 0)? 1 : 0;
}
@ -2386,7 +2386,7 @@ int PortTestMatchReal10()
int PortTestMatchReal11()
{
char *sig = "alert tcp any !47000:50000 -> any any (msg:\"Nothing..\";"
" content:\"GET\"; sid:1;)";
" content:\"GET\"; dsize:>1; sid:1;)";
return (PortTestMatchRealWrp(sig, 1) == 0)? 1 : 0;
}
@ -2396,7 +2396,7 @@ int PortTestMatchReal11()
int PortTestMatchReal12()
{
char *sig = "alert tcp any !47000:50000 -> any !70:100 (msg:\"Nothing..\";"
" content:\"GET\"; sid:1;)";
" content:\"GET\"; dsize:>1; sid:1;)";
return (PortTestMatchRealWrp(sig, 1) == 0)? 1 : 0;
}
@ -2406,7 +2406,7 @@ int PortTestMatchReal12()
int PortTestMatchReal13()
{
char *sig = "alert tcp any 47000:50000 -> any !81: (msg:\"Nothing..\";"
" content:\"GET\"; sid:1;)";
" content:\"GET\"; dsize:>1; sid:1;)";
return PortTestMatchRealWrp(sig, 1);
}
@ -2416,7 +2416,7 @@ int PortTestMatchReal13()
int PortTestMatchReal14()
{
char *sig = "alert tcp any !48000:50000 -> any :100 (msg:\"Nothing..\";"
" content:\"GET\"; sid:1;)";
" content:\"GET\"; dsize:>1; sid:1;)";
return PortTestMatchRealWrp(sig, 1);
}
@ -2426,7 +2426,7 @@ int PortTestMatchReal14()
int PortTestMatchReal15()
{
char *sig = "alert tcp any :50000 -> any 81:100 (msg:\"Nothing..\";"
" content:\"GET\"; sid:1;)";
" content:\"GET\"; dsize:>1; sid:1;)";
return (PortTestMatchRealWrp(sig, 1) == 0)? 1 : 0;
}
@ -2436,7 +2436,7 @@ int PortTestMatchReal15()
int PortTestMatchReal16()
{
char *sig = "alert tcp any 100: -> any ![0:79,81:65535] (msg:\"Nothing..\";"
" content:\"GET\"; sid:1;)";
" content:\"GET\"; dsize:>1; sid:1;)";
return PortTestMatchRealWrp(sig, 1);
}
@ -2446,7 +2446,7 @@ int PortTestMatchReal16()
int PortTestMatchReal17()
{
char *sig = "alert tcp any ![0:39999,48000:50000] -> any ![0:80,82:65535] "
"(msg:\"Nothing..\"; content:\"GET\"; sid:1;)";
"(msg:\"Nothing..\"; content:\"GET\"; dsize:>1; sid:1;)";
return (PortTestMatchRealWrp(sig, 1) == 0)? 1 : 0;
}
@ -2456,7 +2456,7 @@ int PortTestMatchReal17()
int PortTestMatchReal18()
{
char *sig = "alert tcp any ![0:39999,48000:50000] -> any 80 (msg:\"Nothing"
" at all\"; content:\"GET\"; sid:1;)";
" at all\"; content:\"GET\"; dsize:>1; sid:1;)";
return PortTestMatchRealWrp(sig, 1);
}
@ -2466,7 +2466,7 @@ int PortTestMatchReal18()
int PortTestMatchReal19()
{
char *sig = "alert tcp any any -> any 80 (msg:\"Nothing..\";"
" content:\"GET\"; sid:1;)";
" content:\"GET\"; dsize:>1; sid:1;)";
return PortTestMatchRealWrp(sig, 1);
}

4
src/detect-fast-pattern.c
Unescape Escape View File

@ -1015,12 +1015,12 @@ int DetectFastPatternTest14(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"fast_pattern test\"; content:\"strings_string5\"; content:\"knight\"; fast_pattern; sid:1;)");
"(msg:\"fast_pattern test\"; content:\"strings_string5\"; content:\"knight\"; fast_pattern; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"test different content\"; content:\"Dummy is our name\"; sid:2;)");
"(msg:\"test different content\"; content:\"Dummy is our name\"; dsize:>1; sid:2;)");
if (de_ctx->sig_list->next == NULL)
goto end;

14
src/detect-flowint.c
Unescape Escape View File

@ -1391,11 +1391,11 @@ int DetectFlowintTestPacket01Real()
de_ctx->flags |= DE_QUIET;
/* Now that we have the array of packets for the flow, prepare the signatures */
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Setting a flowint counter\"; content:\"GET\"; flowint:myvar,=,1; flowint:maxvar,=,6; sid:101;)");
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Setting a flowint counter\"; content:\"GET\"; flowint:myvar,=,1; flowint:maxvar,=,6; dsize:>1; sid:101;)");
de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Adding to flowint counter\"; content:\"Unauthorized\"; flowint: myvar,+,2; sid:102;)");
de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Adding to flowint counter\"; content:\"Unauthorized\"; flowint: myvar,+,2; dsize:>1; sid:102;)");
de_ctx->sig_list->next->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"if the flowint counter is 3 create a new counter\"; content:\"Unauthorized\"; flowint: myvar,==,3; flowint: cntpackets, =, 0; sid:103;)");
de_ctx->sig_list->next->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"if the flowint counter is 3 create a new counter\"; content:\"Unauthorized\"; flowint: myvar,==,3; flowint: cntpackets, =, 0; dsize:>1; sid:103;)");
de_ctx->sig_list->next->next->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"and count the rest of the packets received without generating alerts!!!\"; flowint: myvar,==,3; flowint: cntpackets, +, 1; noalert;sid:104;)");
@ -1736,7 +1736,7 @@ int DetectFlowintTestPacket02Real()
de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Adding to flowint counter\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: myvar,+,2; sid:102;)");
de_ctx->sig_list->next->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"if the flowint counter is 3 create a new counter\"; content:\"Unauthorized\"; flowint: myvar, isset; flowint: myvar,==,3; flowint:cntpackets,notset; flowint: cntpackets, =, 0; sid:103;)");
de_ctx->sig_list->next->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"if the flowint counter is 3 create a new counter\"; content:\"Unauthorized\"; flowint: myvar, isset; flowint: myvar,==,3; flowint:cntpackets,notset; flowint: cntpackets, =, 0; dsize:>1; sid:103;)");
de_ctx->sig_list->next->next->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"and count the rest of the packets received without generating alerts!!!\"; flowint: cntpackets,isset; flowint: cntpackets, +, 1; noalert;sid:104;)");
@ -2076,11 +2076,11 @@ int DetectFlowintTestPacket03Real()
de_ctx->flags |= DE_QUIET;
/* Now that we have the array of packets for the flow, prepare the signatures */
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"check notset\"; content:\"GET\"; flowint: myvar, notset; flowint: myvar,=,0; flowint: other,=,10; sid:101;)");
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"check notset\"; content:\"GET\"; flowint: myvar, notset; flowint: myvar,=,0; flowint: other,=,10; dsize:>1; sid:101;)");
de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"check isset\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: other,isset; sid:102;)");
de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"check isset\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: other,isset; dsize:>1; sid:102;)");
de_ctx->sig_list->next->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"check notset\"; content:\"Unauthorized\"; flowint:lala,isset; sid:103;)");
de_ctx->sig_list->next->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"check notset\"; content:\"Unauthorized\"; flowint:lala,isset; dsize:>1; sid:103;)");
de_ctx->sig_list->next->next->next = NULL;

6
src/detect-isdataat.c
Unescape Escape View File

@ -1028,10 +1028,10 @@ int DetectIsdataatTestPacket01 (void) {
char *sigs[5];
sigs[0]= "alert ip any any -> any any (msg:\"Testing window 1\"; isdataat:6; sid:1;)";
sigs[1]= "alert ip any any -> any any (msg:\"Testing window 2\"; content:\"all\"; isdataat:1, relative; isdataat:6; sid:2;)";
sigs[1]= "alert ip any any -> any any (msg:\"Testing window 2\"; content:\"all\"; isdataat:1, relative; isdataat:6; dsize:>1; sid:2;)";
sigs[2]= "alert ip any any -> any any (msg:\"Testing window 3\"; isdataat:8; sid:3;)";
sigs[3]= "alert ip any any -> any any (msg:\"Testing window 4\"; content:\"Hi\"; isdataat:5, relative; sid:4;)";
sigs[4]= "alert ip any any -> any any (msg:\"Testing window 4\"; content:\"Hi\"; isdataat:6, relative; sid:5;)";
sigs[3]= "alert ip any any -> any any (msg:\"Testing window 4\"; content:\"Hi\"; isdataat:5, relative; dsize:>1; sid:4;)";
sigs[4]= "alert ip any any -> any any (msg:\"Testing window 4\"; content:\"Hi\"; isdataat:6, relative; dsize:>1; sid:5;)";
uint32_t sid[5] = {1, 2, 3, 4, 5};

27
src/detect-parse.c
Unescape Escape View File

@ -1352,20 +1352,15 @@ static int SigValidate(Signature *s) {
}
if (s->flags & SIG_FLAG_REQUIRE_PACKET) {
if (s->alproto != ALPROTO_UNKNOWN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet "
"specific matches (like dsize, flags, ttl) with stream / "
"state matching by matching on app layer proto (like http).");
SCReturnInt(0);
}
if (s->sm_lists_tail[DETECT_SM_LIST_UMATCH] ||
s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH] ||
s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH] ||
s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH] ||
s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH] ||
s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH] ||
s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH])
s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH] ||
s->sm_lists_tail[DETECT_SM_LIST_DMATCH] ||
s->sm_lists_tail[DETECT_SM_LIST_AMATCH])
{
SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet "
"specific matches (like dsize, flags, ttl) with stream / "
@ -1373,22 +1368,6 @@ static int SigValidate(Signature *s) {
"http_* keywords).");
SCReturnInt(0);
}
SigMatch *pm = SigMatchGetLastSMFromLists(s, 14,
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]);
if (pm != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature has"
" replace keyword linked with a modified content"
" keyword (http_*, dce_*). It only supports content on"
" raw payload");
SCReturnInt(0);
}
}
SCReturnInt(1);

48
src/detect-replace.c
Unescape Escape View File

@ -378,9 +378,9 @@ int DetectReplaceLongPatternMatchTestUDPWrp(char *sig, uint32_t sid, char *sig_r
int DetectReplaceMatchTest01()
{
char *sig = "alert tcp any any -> any any (msg:\"Nothing..\";"
" content:\"big\"; replace:\"pig\"; sid:1;)";
" content:\"big\"; replace:\"pig\"; dsize:>1; sid:1;)";
char *sig_rep = "alert tcp any any -> any any (msg:\"replace worked\";"
" content:\"this is a pig test\"; sid:2;)";
" content:\"this is a pig test\"; dsize:>1; sid:2;)";
return DetectReplaceLongPatternMatchTestWrp(sig, 1, sig_rep, 2);
}
@ -390,9 +390,9 @@ int DetectReplaceMatchTest01()
int DetectReplaceMatchTest02()
{
char *sig = "alert tcp any any -> any any (msg:\"Nothing..\";"
" content:\"th\"; offset: 4; replace:\"TH\"; sid:1;)";
" content:\"th\"; offset: 4; replace:\"TH\"; dsize:>1; sid:1;)";
char *sig_rep = "alert tcp any any -> any any (msg:\"replace worked\";"
" content:\"THis\"; offset:4; sid:2;)";
" content:\"THis\"; offset:4; dsize:>1; sid:2;)";
return DetectReplaceLongPatternMatchTestWrp(sig, 1, sig_rep, 2);
}
@ -402,9 +402,9 @@ int DetectReplaceMatchTest02()
int DetectReplaceMatchTest03()
{
char *sig = "alert tcp any any -> any any (msg:\"Nothing..\";"
" content:\"th\"; replace:\"TH\"; offset: 4; sid:1;)";
" content:\"th\"; replace:\"TH\"; offset: 4; dsize:>1; sid:1;)";
char *sig_rep = "alert tcp any any -> any any (msg:\"replace worked\";"
" content:\"THis\"; offset:4; sid:2;)";
" content:\"THis\"; offset:4; dsize:>1; sid:2;)";
return DetectReplaceLongPatternMatchTestWrp(sig, 1, sig_rep, 2);
}
@ -414,9 +414,9 @@ int DetectReplaceMatchTest03()
int DetectReplaceMatchTest04()
{
char *sig = "alert tcp any any -> any any (msg:\"Nothing..\";"
" content:\"th\"; replace:\"TH\"; content:\"patter\"; replace:\"matter\"; sid:1;)";
" content:\"th\"; replace:\"TH\"; content:\"patter\"; replace:\"matter\"; dsize:>1; sid:1;)";
char *sig_rep = "alert tcp any any -> any any (msg:\"replace worked\";"
" content:\"THis\"; content:\"matterns\"; sid:2;)";
" content:\"THis\"; content:\"matterns\"; dsize:>1; sid:2;)";
return DetectReplaceLongPatternMatchTestWrp(sig, 1, sig_rep, 2);
}
@ -451,9 +451,9 @@ int DetectReplaceMatchTest06()
int DetectReplaceMatchTest07()
{
char *sig = "alert tcp any any -> any any (msg:\"Nothing..\";"
" content:\"BiG\"; nocase; replace:\"pig\"; sid:1;)";
" content:\"BiG\"; nocase; replace:\"pig\"; dsize:>1; sid:1;)";
char *sig_rep = "alert tcp any any -> any any (msg:\"replace worked\";"
" content:\"this is a pig test\"; sid:2;)";
" content:\"this is a pig test\"; dsize:>1; sid:2;)";
return DetectReplaceLongPatternMatchTestWrp(sig, 1, sig_rep, 2);
}
@ -463,9 +463,9 @@ int DetectReplaceMatchTest07()
int DetectReplaceMatchTest08()
{
char *sig = "alert tcp any any -> any any (msg:\"Nothing..\";"
" content:\"big\"; depth:17; replace:\"pig\"; sid:1;)";
" content:\"big\"; depth:17; replace:\"pig\"; dsize:>1; sid:1;)";
char *sig_rep = "alert tcp any any -> any any (msg:\"replace worked\";"
" content:\"this is a pig test\"; sid:2;)";
" content:\"this is a pig test\"; dsize:>1; sid:2;)";
return DetectReplaceLongPatternMatchTestWrp(sig, 1, sig_rep, 2);
}
@ -487,9 +487,9 @@ int DetectReplaceMatchTest09()
int DetectReplaceMatchTest10()
{
char *sig = "alert tcp any any -> any any (msg:\"Nothing..\";"
" content:\"big\"; depth:17; replace:\"pig\"; offset: 14; sid:1;)";
" content:\"big\"; depth:17; replace:\"pig\"; offset: 14; dsize:>1; sid:1;)";
char *sig_rep = "alert tcp any any -> any any (msg:\"replace worked\";"
" content:\"pig\"; depth:17; offset:14; sid:2;)";
" content:\"pig\"; depth:17; offset:14; dsize:>1; sid:2;)";
return DetectReplaceLongPatternMatchTestWrp(sig, 1, sig_rep, 2);
}
@ -499,9 +499,9 @@ int DetectReplaceMatchTest10()
int DetectReplaceMatchTest11()
{
char *sig = "alert tcp any any -> any any (msg:\"Nothing..\";"
" content:\"big\"; replace:\"pig\"; content:\"to\"; within: 11; sid:1;)";
" content:\"big\"; replace:\"pig\"; content:\"to\"; within: 11; dsize:>1; sid:1;)";
char *sig_rep = "alert tcp any any -> any any (msg:\"replace worked\";"
" content:\"pig\"; depth:17; offset:14; sid:2;)";
" content:\"pig\"; depth:17; offset:14; dsize:>1; sid:2;)";
return DetectReplaceLongPatternMatchTestWrp(sig, 1, sig_rep, 2);
}
@ -523,9 +523,9 @@ int DetectReplaceMatchTest12()
int DetectReplaceMatchTest13()
{
char *sig = "alert tcp any any -> any any (msg:\"Nothing..\";"
" content:\"big\"; replace:\"pig\"; content:\"test\"; distance: 1; sid:1;)";
" content:\"big\"; replace:\"pig\"; content:\"test\"; distance: 1; dsize:>1; sid:1;)";
char *sig_rep = "alert tcp any any -> any any (msg:\"replace worked\";"
" content:\"pig\"; depth:17; offset:14; sid:2;)";
" content:\"pig\"; depth:17; offset:14; dsize:>1; sid:2;)";
return DetectReplaceLongPatternMatchTestWrp(sig, 1, sig_rep, 2);
}
@ -547,9 +547,9 @@ int DetectReplaceMatchTest14()
int DetectReplaceMatchTest15()
{
char *sig = "alert udp any any -> any any (msg:\"Nothing..\";"
" content:\"com\"; replace:\"org\"; sid:1;)";
" content:\"com\"; replace:\"org\"; dsize:>1; sid:1;)";
char *sig_rep = "alert udp any any -> any any (msg:\"replace worked\";"
" content:\"twimg|03|org\"; sid:2;)";
" content:\"twimg|03|org\"; dsize:>1; sid:2;)";
return DetectReplaceLongPatternMatchTestUDPWrp(sig, 1, sig_rep, 2);
}
@ -599,7 +599,7 @@ int DetectReplaceParseTest02(void)
de_ctx->sig_list = SigInit(de_ctx,
"alert http any any -> any any "
"(msg:\"test\"; content:\"doh\"; replace:\"bon\"; sid:238012;)");
if (de_ctx->sig_list != NULL) {
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
}
@ -786,11 +786,11 @@ void DetectReplaceRegisterTests(void)
UtRegisterTest("DetectReplaceMatchTest15", DetectReplaceMatchTest15, 1);
/* parsing */
UtRegisterTest("DetectReplaceParseTest01", DetectReplaceParseTest01, 1);
UtRegisterTest("DetectReplaceParseTest02", DetectReplaceParseTest02, 0);
UtRegisterTest("DetectReplaceParseTest03", DetectReplaceParseTest03, 0);
UtRegisterTest("DetectReplaceParseTest02", DetectReplaceParseTest02, 1);
UtRegisterTest("DetectReplaceParseTest03", DetectReplaceParseTest03, 1);
UtRegisterTest("DetectReplaceParseTest04", DetectReplaceParseTest04, 1);
UtRegisterTest("DetectReplaceParseTest05", DetectReplaceParseTest05, 1);
UtRegisterTest("DetectReplaceParseTest06", DetectReplaceParseTest06, 1);
UtRegisterTest("DetectReplaceParseTest07", DetectReplaceParseTest07, 0);
UtRegisterTest("DetectReplaceParseTest07", DetectReplaceParseTest07, 1);
#endif /* UNITTESTS */
}

2
src/detect-threshold.c
Unescape Escape View File

@ -411,7 +411,7 @@ static int DetectThresholdTestSig1(void) {
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; content:\"A\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; content:\"A\"; threshold: type limit, track by_dst, count 5, seconds 60; dsize:>0; sid:1;)");
if (s == NULL) {
goto end;
}

4
src/detect-within.c
Unescape Escape View File

@ -872,7 +872,7 @@ int DetectWithinTestPacket01 (void) {
char sig[] = "alert tcp any any -> any any (msg:\"pcre with within "
"modifier\"; pcre:\"/AllWorkAndNoPlayMakesWillADullBoy/\";"
" content:\"HTTP\"; within:5; sid:49; rev:1;)";
" content:\"HTTP\"; within:5; dsize:>1; sid:49; rev:1;)";
result = UTHPacketMatchSig(p, sig);
@ -893,7 +893,7 @@ int DetectWithinTestPacket02 (void) {
goto end;
char sig[] = "alert tcp any any -> any any (msg:\"pcre with within "
"modifier\"; content:\"Five\"; content:\"Ten\"; within:3; distance:1; sid:1;)";
"modifier\"; content:\"Five\"; content:\"Ten\"; within:3; distance:1; dsize:>1; sid:1;)";
result = UTHPacketMatchSig(p, sig);

115
src/detect.c
Unescape Escape View File

@ -1692,7 +1692,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
/* Limit the number of times we do this recursive thing.
* XXX is this a sane limit? Should it be configurable? */
if (recursion_cnt == 10)
goto done;
goto next;
} while (rmatch);
} else {
@ -1729,9 +1729,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
next:
RULE_PROFILING_END(s, match);
continue;
done:
RULE_PROFILING_END(s, match);
break;
}
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_RULES);
@ -4416,7 +4413,7 @@ static int SigTest01Real (int mpm_type) {
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; sid:1;)";
char sig[] = "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; dsize:>1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, mpm_type) == 0) {
result = 0;
goto end;
@ -4461,7 +4458,7 @@ static int SigTest02Real (int mpm_type) {
"\r\n\r\n";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
char sig[] = "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:41; sid:1;)";
char sig[] = "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:41; dsize:>1; sid:1;)";
int ret = UTHPacketMatchSigMpm(p, sig, mpm_type);
UTHFreePacket(p);
return ret;
@ -4504,7 +4501,7 @@ static int SigTest03Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:39; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:39; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -4566,7 +4563,7 @@ static int SigTest04Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:42; within:47; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:42; within:47; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -4625,7 +4622,7 @@ static int SigTest05Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:48; within:52; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:48; within:52; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("sig parse failed: ");
goto end;
@ -4704,7 +4701,7 @@ static int SigTest06Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; dsize:>1; recursive; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -4800,7 +4797,7 @@ static int SigTest07Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -4896,7 +4893,7 @@ static int SigTest08Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -4992,7 +4989,7 @@ static int SigTest09Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -5080,12 +5077,12 @@ static int SigTest10Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (1)\"; content:\"ABCD\"; depth:4; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (1)\"; content:\"ABCD\"; depth:4; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
}
de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (2)\"; content:\"VWXYZ\"; sid:2;)");
de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (2)\"; content:\"VWXYZ\"; dsize:>1; sid:2;)");
if (de_ctx->sig_list->next == NULL) {
result = 0;
goto end;
@ -5167,11 +5164,11 @@ static int SigTest11Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (content:\"VWXYZabcde\"; content:\"5678\"; content:\"89\"; sid:2;)");
de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (content:\"VWXYZabcde\"; content:\"5678\"; content:\"89\"; dsize:>1; sid:2;)");
if (de_ctx->sig_list->next == NULL) {
goto end;
}
@ -5232,7 +5229,7 @@ static int SigTest12Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -5297,7 +5294,7 @@ static int SigTest13Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -5353,7 +5350,7 @@ static int SigTest14Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; distance:0; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; distance:0; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -5421,7 +5418,7 @@ static int SigTest15Real (int mpm_type) {
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; dsize:>1; rev:2;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -5484,7 +5481,7 @@ static int SigTest16Real (int mpm_type) {
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; dsize:>1; sid:2008284; rev:2;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
@ -5548,7 +5545,7 @@ static int SigTest17Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -5626,7 +5623,7 @@ static int SigTest18Real (int mpm_type) {
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; dsize:>1; sid:2003055; rev:4;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -5842,12 +5839,12 @@ static int SigTest21Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
}
de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; dsize:>1; sid:2;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -5932,12 +5929,12 @@ static int SigTest22Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
}
de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.abc; sid:2;)");
de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.abc; dsize:>1; sid:2;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -6018,12 +6015,12 @@ static int SigTest23Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:toggle,TEST.one; flowbits:noalert; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:toggle,TEST.one; flowbits:noalert; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
}
de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; dsize:>1; sid:2;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -6123,7 +6120,7 @@ int SigTest24IPV4Keyword(void)
de_ctx->sig_list = SigInit(de_ctx,
"alert ip any any -> any any "
"(content:\"/one/\"; ipv4-csum:valid; "
"(content:\"/one/\"; ipv4-csum:valid; dsize:>1; "
"msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("sig 1 parse: ");
@ -6132,7 +6129,7 @@ int SigTest24IPV4Keyword(void)
de_ctx->sig_list->next = SigInit(de_ctx,
"alert ip any any -> any any "
"(content:\"/one/\"; ipv4-csum:invalid; "
"(content:\"/one/\"; ipv4-csum:invalid; dsize:>1; "
"msg:\"ipv4-csum keyword check(1)\"; "
"sid:2;)");
if (de_ctx->sig_list->next == NULL) {
@ -6227,7 +6224,7 @@ int SigTest25NegativeIPV4Keyword(void)
de_ctx->sig_list = SigInit(de_ctx,
"alert ip any any -> any any "
"(content:\"/one/\"; ipv4-csum:invalid; "
"(content:\"/one/\"; ipv4-csum:invalid; dsize:>1; "
"msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
result &= 0;
@ -6236,7 +6233,7 @@ int SigTest25NegativeIPV4Keyword(void)
de_ctx->sig_list->next = SigInit(de_ctx,
"alert ip any any -> any any "
"(content:\"/one/\"; ipv4-csum:valid; "
"(content:\"/one/\"; ipv4-csum:valid; dsize:>1; "
"msg:\"ipv4-csum keyword check(1)\"; "
"sid:2;)");
if (de_ctx->sig_list->next == NULL) {
@ -6349,7 +6346,7 @@ int SigTest26TCPV4Keyword(void)
de_ctx->sig_list->next = SigInit(de_ctx,
"alert ip any any -> any any "
"(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
"(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:>1; "
"msg:\"tcpv4-csum keyword check(1)\"; "
"sid:2;)");
if (de_ctx->sig_list->next == NULL) {
@ -6820,7 +6817,7 @@ int SigTest30UDPV4Keyword(void)
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(content:\"/one/\"; udpv4-csum:valid; "
"(content:\"/one/\"; udpv4-csum:valid; dsize:>1; "
"msg:\"udpv4-csum keyword check(1)\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
@ -6830,7 +6827,7 @@ int SigTest30UDPV4Keyword(void)
de_ctx->sig_list->next = SigInit(de_ctx,
"alert udp any any -> any any "
"(content:\"/one/\"; udpv4-csum:invalid; "
"(content:\"/one/\"; udpv4-csum:invalid; dsize:>1; "
"msg:\"udpv4-csum keyword check(1)\"; "
"sid:2;)");
if (de_ctx->sig_list->next == NULL) {
@ -7062,7 +7059,7 @@ int SigTest32UDPV6Keyword(void)
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(content:\"/one/\"; udpv6-csum:valid; "
"(content:\"/one/\"; udpv6-csum:valid; dsize:>1; "
"msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
result &= 0;
@ -7071,7 +7068,7 @@ int SigTest32UDPV6Keyword(void)
de_ctx->sig_list->next = SigInit(de_ctx,
"alert udp any any -> any any "
"(content:\"/one/\"; udpv6-csum:invalid; "
"(content:\"/one/\"; udpv6-csum:invalid; dsize:>1; "
"msg:\"udpv6-csum keyword check(1)\"; "
"sid:2;)");
if (de_ctx->sig_list->next == NULL) {
@ -7300,7 +7297,7 @@ int SigTest34ICMPV4Keyword(void)
de_ctx->sig_list = SigInit(de_ctx,
"alert icmp any any -> any any "
"(content:\"/one/\"; icmpv4-csum:valid; "
"msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
"msg:\"icmpv4-csum keyword check(1)\"; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result &= 0;
goto end;
@ -7309,7 +7306,7 @@ int SigTest34ICMPV4Keyword(void)
de_ctx->sig_list->next = SigInit(de_ctx,
"alert icmp any any -> any any "
"(content:\"/one/\"; icmpv4-csum:invalid; "
"msg:\"icmpv4-csum keyword check(1)\"; "
"msg:\"icmpv4-csum keyword check(1)\"; dsize:>1; "
"sid:2;)");
if (de_ctx->sig_list->next == NULL) {
result = 0;
@ -7807,7 +7804,7 @@ int SigTest38Real(int mpm_type)
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(content:\"LEN1|20|\"; "
"byte_test:4,=,8,0; "
"byte_test:4,=,8,0; dsize:>1; "
"msg:\"byte_test keyword check(1)\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
result &= 0;
@ -7816,7 +7813,7 @@ int SigTest38Real(int mpm_type)
de_ctx->sig_list->next = SigInit(de_ctx,
"alert tcp any any -> any any "
"(content:\"LEN1|20|\"; "
"byte_test:4,=,8,5,relative,string,dec; "
"byte_test:4,=,8,5,relative,string,dec; dsize:>1; "
"msg:\"byte_test keyword check(2)\"; sid:2;)");
if (de_ctx->sig_list->next == NULL) {
result &= 0;
@ -7951,7 +7948,7 @@ int SigTest39Real(int mpm_type)
"(content:\"LEN1|20|\"; "
"byte_test:4,=,8,0; "
"byte_jump:4,0; "
"byte_test:6,=,0x4c454e312038,0,relative; "
"byte_test:6,=,0x4c454e312038,0,relative; dsize:>1; "
"msg:\"byte_jump keyword check(1)\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
result &= 0;
@ -7963,7 +7960,7 @@ int SigTest39Real(int mpm_type)
"(content:\"LEN1|20|\"; "
"byte_test:4,=,8,4,relative,string,dec; "
"byte_jump:4,4,relative,string,dec,post_offset 2; "
"byte_test:4,=,0x4c454e32,0,relative; "
"byte_test:4,=,0x4c454e32,0,relative; dsize:>1; "
"msg:\"byte_jump keyword check(2)\"; sid:2;)");
if (de_ctx->sig_list->next == NULL) {
result &= 0;
@ -8079,7 +8076,7 @@ int SigTest36ContentAndIsdataatKeywords01Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest36ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:404, relative; sid:101;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest36ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:404, relative; dsize:>1; sid:101;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -9290,7 +9287,7 @@ static int SigTestSgh05 (void) {
de_ctx->flags |= DE_QUIET;
de_ctx->mpm_matcher = MPM_WUMANBER;
de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> 1.2.3.4-1.2.3.6 any (msg:\"1\"; content:\"one\"; content:\"1\"; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> 1.2.3.4-1.2.3.6 any (msg:\"1\"; content:\"one\"; content:\"1\"; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -9345,7 +9342,7 @@ static int SigTestContent01Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -9398,13 +9395,13 @@ static int SigTestContent02Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
}
de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 31\"; content:\"0123456789012345678901234567890\"; sid:2;)");
de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 31\"; content:\"0123456789012345678901234567890\"; dsize:>1; sid:2;)");
if (de_ctx->sig_list->next == NULL) {
result = 0;
goto end;
@ -9461,7 +9458,7 @@ static int SigTestContent03Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -9515,7 +9512,7 @@ static int SigTestContent04Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -9570,12 +9567,12 @@ static int SigTestContent05Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("sig1 parse failed: ");
goto end;
}
de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:1; within:32; sid:2;)");
de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:1; within:32; dsize:>1; sid:2;)");
if (de_ctx->sig_list->next == NULL) {
printf("sig2 parse failed: ");
goto end;
@ -9639,12 +9636,12 @@ static int SigTestContent06Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig1\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig1\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
}
de_ctx->sig_list->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig2\"; content:\"01234567890123456789012345678901\"; content:\"abcdefg\"; sid:2;)");
de_ctx->sig_list->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig2\"; content:\"01234567890123456789012345678901\"; content:\"abcdefg\"; dsize:>1; sid:2;)");
if (de_ctx->sig_list->next == NULL) {
result = 0;
goto end;
@ -9799,7 +9796,7 @@ static int SigTestWithinReal01 (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"within test\"; content:\"Hi, this is a big test to check \"; content:\"content matches\"; distance:0; within:15; sid:556;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"within test\"; content:\"Hi, this is a big test to check \"; content:\"content matches\"; distance:0; within:15; dsize:>1; sid:556;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -9926,7 +9923,7 @@ static int SigTestDepthOffset01Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"depth offset\"; content:\"456\"; offset:4; depth:3; sid:1;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"depth offset\"; content:\"456\"; offset:4; depth:3; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -9976,7 +9973,7 @@ static int SigTestDetectAlertCounter(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Test counter\"; "
"content:\"boo\"; sid:1;)");
"content:\"boo\"; dsize:>1; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}

4
src/log-droplog.c
Unescape Escape View File

@ -428,7 +428,7 @@ int LogDropLogTest01()
SCClassConfDeleteDummyClassificationConfigFD();
de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any any "
"(msg:\"LogDropLog test\"; content:\"GET\"; Classtype:unknown; sid:1;)");
"(msg:\"LogDropLog test\"; content:\"GET\"; dsize:>1; Classtype:unknown; sid:1;)");
result = (de_ctx->sig_list != NULL);
@ -496,7 +496,7 @@ int LogDropLogTest02()
SCClassConfDeleteDummyClassificationConfigFD();
de_ctx->sig_list = SigInit(de_ctx, "alert udp any any -> any any "
"(msg:\"LogDropLog test\"; content:\"GET\"; Classtype:unknown; sid:1;)");
"(msg:\"LogDropLog test\"; content:\"GET\"; dsize:>1; Classtype:unknown; sid:1;)");
result = (de_ctx->sig_list != NULL);

42
src/util-action.c
Unescape Escape View File

@ -602,9 +602,9 @@ int UtilActionTest10(void)
goto end;
char *sigs[3];
sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)";
sigs[1]= "pass ip any any -> any any (msg:\"sig 2\"; content:\"wo\"; sid:2;)";
sigs[2]= "alert ip any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)";
sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; dsize:>1; sid:1;)";
sigs[1]= "pass ip any any -> any any (msg:\"sig 2\"; content:\"wo\"; dsize:>1; sid:2;)";
sigs[2]= "alert ip any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; dsize:>1; sid:3;)";
uint32_t sid[3] = {1, 2, 3};
@ -686,9 +686,9 @@ int UtilActionTest11(void)
goto end;
char *sigs[3];
sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)";
sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"wo\"; sid:2;)";
sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)";
sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; dsize:>1; sid:1;)";
sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"wo\"; dsize:>1; sid:2;)";
sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; dsize:>1; sid:3;)";
uint32_t sid[3] = {1, 2, 3};
@ -847,9 +847,9 @@ int UtilActionTest13(void)
goto end;
char *sigs[3];
sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)";
sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)";
sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; dsize:>1; sid:1;)";
sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; dsize:>1; sid:2;)";
sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; dsize:>1; sid:3;)";
uint32_t sid[3] = {1, 2, 3};
@ -933,9 +933,9 @@ int UtilActionTest14(void)
goto end;
char *sigs[3];
sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)";
sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)";
sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; dsize:>1; sid:1;)";
sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; dsize:>1; sid:2;)";
sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; dsize:>1; sid:3;)";
uint32_t sid[3] = {1, 2, 3};
@ -1014,7 +1014,7 @@ int UtilActionTest15(void)
char *sigs[3];
sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; dsize:>1; sid:2;)";
sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
uint32_t sid[3] = {1, 2, 3};
@ -1089,7 +1089,7 @@ int UtilActionTest16(void)
char *sigs[3];
sigs[0]= "drop tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; dsize:>1; sid:2;)";
sigs[2]= "pass tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
uint32_t sid[3] = {1, 2, 3};
@ -1164,7 +1164,7 @@ int UtilActionTest17(void)
char *sigs[3];
sigs[0]= "pass tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; dsize:>1; sid:2;)";
sigs[2]= "alert tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
uint32_t sid[3] = {1, 2, 3};
@ -1244,7 +1244,7 @@ int UtilActionTest18(void)
char *sigs[3];
sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; dsize:>1; sid:2;)";
sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
uint32_t sid[3] = {1, 2, 3};
@ -1330,7 +1330,7 @@ int UtilActionTest19(void)
char *sigs[3];
sigs[0]= "drop tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; dsize:>1; sid:2;)";
sigs[2]= "pass tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
uint32_t sid[3] = {1, 2, 3};
@ -1416,7 +1416,7 @@ int UtilActionTest20(void)
char *sigs[3];
sigs[0]= "pass tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; dsize:>1; sid:2;)";
sigs[2]= "alert tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
uint32_t sid[3] = {1, 2, 3};
@ -1496,7 +1496,7 @@ int UtilActionTest21(void)
char *sigs[3];
sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; dsize:>1; sid:2;)";
sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
uint32_t sid[3] = {1, 2, 3};
@ -1582,7 +1582,7 @@ int UtilActionTest22(void)
char *sigs[3];
sigs[0]= "drop tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; dsize:>1; sid:2;)";
sigs[2]= "pass tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
uint32_t sid[3] = {1, 2, 3};
@ -1668,7 +1668,7 @@ int UtilActionTest23(void)
char *sigs[3];
sigs[0]= "pass tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; dsize:>1; sid:2;)";
sigs[2]= "alert tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
uint32_t sid[3] = {1, 2, 3};

Write Preview
Loading…
Cancel
Save