From f92ba23331cb975494734be7442f58182a0dcd52 Mon Sep 17 00:00:00 2001
From: Gurvinder Singh <gurvindersinghdahiya@gmail.com>
Date: Tue, 16 Nov 2010 03:05:48 +0100
Subject: [PATCH] add the support for >= and <= operator for byte_test

---
 src/detect-bytetest.c | 76 +++++++++++++++++++++++++++++++++++++++++++
 src/detect-bytetest.h | 12 ++++---
 2 files changed, 83 insertions(+), 5 deletions(-)

diff --git a/src/detect-bytetest.c b/src/detect-bytetest.c
index 96a454d1ec..0ff76fa7b7 100644
--- a/src/detect-bytetest.c
+++ b/src/detect-bytetest.c
@@ -224,6 +224,16 @@ int DetectBytetestDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch
                 match = 1;
             }
             break;
+        case DETECT_BYTETEST_OP_GE:
+        if (val >= data->value) {
+            match = 1;
+        }
+        break;
+        case DETECT_BYTETEST_OP_LE:
+        if (val <= data->value) {
+            match = 1;
+        }
+        break;
         default:
             /* Should never get here as we handle this in parsing. */
             SCReturnInt(-1);
@@ -436,6 +446,10 @@ DetectBytetestData *DetectBytetestParse(char *optstr)
             data->op |= DETECT_BYTETEST_OP_AND;
         } else if (strcmp("^", args[2]) == 0) {
             data->op |= DETECT_BYTETEST_OP_OR;
+        } else if (strcmp(">=", args[2]) == 0) {
+            data->op |= DETECT_BYTETEST_OP_GE;
+        } else if (strcmp("<=", args[2]) == 0) {
+            data->op |= DETECT_BYTETEST_OP_LE;
         } else {
             SCLogError(SC_ERR_INVALID_OPERATOR, "Invalid operator");
             goto error;
@@ -1400,6 +1414,66 @@ end:
     return result;
 }
 
+/** \test Test the byte_test signature matching with operator <= */
+int DetectByteTestTestPacket04(void)
+{
+    int result = 0;
+    uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
+                    "User-Agent: Wget/1.11.4"
+                    "Accept: */*"
+                    "Host: www.google.com"
+                    "Connection: Keep-Alive"
+                    "Date: Mon, 04 Jan 2010 17:29:39 GMT";
+    uint16_t buflen = strlen((char *)buf);
+
+    Packet *p;
+    p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
+
+    if (p == NULL)
+        goto end;
+
+    char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test +"
+                    "relative\"; content:\"GET \"; depth:4; content:\"HTTP/1.\"; "
+    "byte_test:1,<=,0,0,relative,string,dec; sid:124; rev:1;)";
+
+    result = UTHPacketMatchSig(p, sig);
+
+    UTHFreePacket(p);
+
+end:
+    return result;
+}
+
+/** \test Test the byte_test signature matching with operator >= */
+int DetectByteTestTestPacket05(void)
+{
+    int result = 0;
+    uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
+                    "User-Agent: Wget/1.11.4"
+                    "Accept: */*"
+                    "Host: www.google.com"
+                    "Connection: Keep-Alive"
+                    "Date: Mon, 04 Jan 2010 17:29:39 GMT";
+    uint16_t buflen = strlen((char *)buf);
+
+    Packet *p;
+    p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
+
+    if (p == NULL)
+        goto end;
+
+    char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test +"
+                    "relative\"; content:\"GET \"; depth:4; content:\"HTTP/1.\"; "
+    "byte_test:1,>=,0,0,relative,string,dec; sid:125; rev:1;)";
+
+    result = UTHPacketMatchSig(p, sig);
+
+    UTHFreePacket(p);
+
+end:
+    return result;
+}
+
 #endif /* UNITTESTS */
 
 
@@ -1431,6 +1505,8 @@ void DetectBytetestRegisterTests(void) {
     UtRegisterTest("DetectByteTestTestPacket01", DetectByteTestTestPacket01, 1);
     UtRegisterTest("DetectByteTestTestPacket02", DetectByteTestTestPacket02, 1);
     UtRegisterTest("DetectByteTestTestPacket03", DetectByteTestTestPacket03, 1);
+    UtRegisterTest("DetectByteTestTestPacket04", DetectByteTestTestPacket04, 1);
+    UtRegisterTest("DetectByteTestTestPacket05", DetectByteTestTestPacket05, 1);
 #endif /* UNITTESTS */
 }
 
diff --git a/src/detect-bytetest.h b/src/detect-bytetest.h
index 8cc2e01dcf..21ccfec662 100644
--- a/src/detect-bytetest.h
+++ b/src/detect-bytetest.h
@@ -25,11 +25,13 @@
 #define __DETECT_BYTETEST_H__
 
 /** Bytetest Operators */
-#define DETECT_BYTETEST_OP_LT     '<' /**< "less than" operator */
-#define DETECT_BYTETEST_OP_GT     '>' /**< "greater than" operator */
-#define DETECT_BYTETEST_OP_EQ     '=' /**< "equals" operator */
-#define DETECT_BYTETEST_OP_AND    '&' /**< "bitwise and" operator */
-#define DETECT_BYTETEST_OP_OR     '^' /**< "bitwise or" operator */
+#define DETECT_BYTETEST_OP_LT     1 /**< "less than" operator */
+#define DETECT_BYTETEST_OP_GT     2 /**< "greater than" operator */
+#define DETECT_BYTETEST_OP_EQ     3 /**< "equals" operator */
+#define DETECT_BYTETEST_OP_AND    4 /**< "bitwise and" operator */
+#define DETECT_BYTETEST_OP_OR     5 /**< "bitwise or" operator */
+#define DETECT_BYTETEST_OP_GE     6 /**< greater than equal operator */
+#define DETECT_BYTETEST_OP_LE     7 /**< less than equal operator */
 
 /** Bytetest Base */
 #define DETECT_BYTETEST_BASE_UNSET  0 /**< Unset type value string (automatic)*/