|  |  | @ -1,4 +1,4 @@ | 
			
		
	
		
		
			
				
					
					|  |  |  | /* Copyright (C) 2007-2010 Open Information Security Foundation
 |  |  |  | /* Copyright (C) 2007-2021 Open Information Security Foundation
 | 
			
				
				
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  |  * |  |  |  |  * | 
			
		
	
		
		
			
				
					
					|  |  |  |  * You can copy, redistribute or modify this Program under the terms of |  |  |  |  * You can copy, redistribute or modify this Program under the terms of | 
			
		
	
		
		
			
				
					
					|  |  |  |  * the GNU General Public License version 2 as published by the Free |  |  |  |  * the GNU General Public License version 2 as published by the Free | 
			
		
	
	
		
		
			
				
					|  |  | @ -201,12 +201,10 @@ static int ProtoTestParse01 (void) | 
			
		
	
		
		
			
				
					
					|  |  |  |     memset(&dp,0,sizeof(DetectProto)); |  |  |  |     memset(&dp,0,sizeof(DetectProto)); | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     int r = DetectProtoParse(&dp, "6"); |  |  |  |     int r = DetectProtoParse(&dp, "6"); | 
			
		
	
		
		
			
				
					
					|  |  |  |     if (r < 0) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         return 1; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     SCLogDebug("DetectProtoParse should have rejected the \"6\" string"); |  |  |  |     FAIL_IF_NOT(r < 0); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |     return 0; |  |  |  | 
 | 
			
				
				
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |     PASS; | 
			
		
	
		
		
			
				
					
					|  |  |  | } |  |  |  | } | 
			
		
	
		
		
			
				
					
					|  |  |  | /**
 |  |  |  | /**
 | 
			
		
	
		
		
			
				
					
					|  |  |  |  * \test ProtoTestParse02 is a test to make sure that we parse the |  |  |  |  * \test ProtoTestParse02 is a test to make sure that we parse the | 
			
		
	
	
		
		
			
				
					|  |  | @ -218,12 +216,11 @@ static int ProtoTestParse02 (void) | 
			
		
	
		
		
			
				
					
					|  |  |  |     memset(&dp,0,sizeof(DetectProto)); |  |  |  |     memset(&dp,0,sizeof(DetectProto)); | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     int r = DetectProtoParse(&dp, "tcp"); |  |  |  |     int r = DetectProtoParse(&dp, "tcp"); | 
			
		
	
		
		
			
				
					
					|  |  |  |     if (r >= 0 && dp.proto[(IPPROTO_TCP/8)] & (1<<(IPPROTO_TCP%8))) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         return 1; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     SCLogDebug("ProtoTestParse02: Error in parsing the \"tcp\" string"); |  |  |  |     FAIL_IF_NOT(r >= 0); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |     return 0; |  |  |  |     FAIL_IF_NOT(dp.proto[(IPPROTO_TCP / 8)] & (1 << (IPPROTO_TCP % 8))); | 
			
				
				
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |     PASS; | 
			
		
	
		
		
			
				
					
					|  |  |  | } |  |  |  | } | 
			
		
	
		
		
			
				
					
					|  |  |  | /**
 |  |  |  | /**
 | 
			
		
	
		
		
			
				
					
					|  |  |  |  * \test ProtoTestParse03 is a test to make sure that we parse the |  |  |  |  * \test ProtoTestParse03 is a test to make sure that we parse the | 
			
		
	
	
		
		
			
				
					|  |  | @ -235,12 +232,11 @@ static int ProtoTestParse03 (void) | 
			
		
	
		
		
			
				
					
					|  |  |  |     memset(&dp,0,sizeof(DetectProto)); |  |  |  |     memset(&dp,0,sizeof(DetectProto)); | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     int r = DetectProtoParse(&dp, "ip"); |  |  |  |     int r = DetectProtoParse(&dp, "ip"); | 
			
		
	
		
		
			
				
					
					|  |  |  |     if (r >= 0 && dp.flags & DETECT_PROTO_ANY) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         return 1; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     SCLogDebug("ProtoTestParse03: Error in parsing the \"ip\" string"); |  |  |  |     FAIL_IF_NOT(r >= 0); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |     return 0; |  |  |  |     FAIL_IF_NOT(dp.flags & DETECT_PROTO_ANY); | 
			
				
				
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |     PASS; | 
			
		
	
		
		
			
				
					
					|  |  |  | } |  |  |  | } | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | /**
 |  |  |  | /**
 | 
			
		
	
	
		
		
			
				
					|  |  | @ -254,12 +250,10 @@ static int ProtoTestParse04 (void) | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     /* Check for a bad number */ |  |  |  |     /* Check for a bad number */ | 
			
		
	
		
		
			
				
					
					|  |  |  |     int r = DetectProtoParse(&dp, "4242"); |  |  |  |     int r = DetectProtoParse(&dp, "4242"); | 
			
		
	
		
		
			
				
					
					|  |  |  |     if (r < 0) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         return 1; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     SCLogDebug("ProtoTestParse04: it should not parsing the \"4242\" string"); |  |  |  |     FAIL_IF_NOT(r < 0); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |     return 0; |  |  |  | 
 | 
			
				
				
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |     PASS; | 
			
		
	
		
		
			
				
					
					|  |  |  | } |  |  |  | } | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | /**
 |  |  |  | /**
 | 
			
		
	
	
		
		
			
				
					|  |  | @ -273,12 +267,10 @@ static int ProtoTestParse05 (void) | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     /* Check for a bad string */ |  |  |  |     /* Check for a bad string */ | 
			
		
	
		
		
			
				
					
					|  |  |  |     int r = DetectProtoParse(&dp, "tcp/udp"); |  |  |  |     int r = DetectProtoParse(&dp, "tcp/udp"); | 
			
		
	
		
		
			
				
					
					|  |  |  |     if (r < 0) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         return 1; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     SCLogDebug("ProtoTestParse05: it should not parsing the \"tcp/udp\" string"); |  |  |  |     FAIL_IF_NOT(r < 0); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |     return 0; |  |  |  | 
 | 
			
				
				
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |     PASS; | 
			
		
	
		
		
			
				
					
					|  |  |  | } |  |  |  | } | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | /**
 |  |  |  | /**
 | 
			
		
	
	
		
		
			
				
					|  |  | @ -291,17 +283,11 @@ static int ProtoTestParse06 (void) | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     /* Check for a bad string */ |  |  |  |     /* Check for a bad string */ | 
			
		
	
		
		
			
				
					
					|  |  |  |     int r = DetectProtoParse(&dp, "tcp-pkt"); |  |  |  |     int r = DetectProtoParse(&dp, "tcp-pkt"); | 
			
		
	
		
		
			
				
					
					|  |  |  |     if (r < 0) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         printf("parsing tcp-pkt failed: "); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         return 0; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     if (!(dp.flags & DETECT_PROTO_ONLY_PKT)) { |  |  |  |     FAIL_IF(r < 0); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |         printf("DETECT_PROTO_ONLY_PKT flag not set: "); |  |  |  |     FAIL_IF_NOT(dp.flags & DETECT_PROTO_ONLY_PKT); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |         return 0; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     return 1; |  |  |  |     PASS; | 
			
				
				
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  | } |  |  |  | } | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | /**
 |  |  |  | /**
 | 
			
		
	
	
		
		
			
				
					|  |  | @ -314,17 +300,11 @@ static int ProtoTestParse07 (void) | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     /* Check for a bad string */ |  |  |  |     /* Check for a bad string */ | 
			
		
	
		
		
			
				
					
					|  |  |  |     int r = DetectProtoParse(&dp, "tcp-stream"); |  |  |  |     int r = DetectProtoParse(&dp, "tcp-stream"); | 
			
		
	
		
		
			
				
					
					|  |  |  |     if (r < 0) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         printf("parsing tcp-stream failed: "); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         return 0; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     if (!(dp.flags & DETECT_PROTO_ONLY_STREAM)) { |  |  |  |     FAIL_IF(r < 0); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |         printf("DETECT_PROTO_ONLY_STREAM flag not set: "); |  |  |  |     FAIL_IF_NOT(dp.flags & DETECT_PROTO_ONLY_STREAM); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |         return 0; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     return 1; |  |  |  |     PASS; | 
			
				
				
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  | } |  |  |  | } | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | /**
 |  |  |  | /**
 | 
			
		
	
	
		
		
			
				
					|  |  | @ -336,38 +316,22 @@ static int DetectProtoTestSetup01(void) | 
			
		
	
		
		
			
				
					
					|  |  |  |     DetectProto dp; |  |  |  |     DetectProto dp; | 
			
		
	
		
		
			
				
					
					|  |  |  |     Signature *sig = NULL; |  |  |  |     Signature *sig = NULL; | 
			
		
	
		
		
			
				
					
					|  |  |  |     DetectEngineCtx *de_ctx = NULL; |  |  |  |     DetectEngineCtx *de_ctx = NULL; | 
			
		
	
		
		
			
				
					
					|  |  |  |     int result = 0; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     int i; |  |  |  |     int i; | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     memset(&dp, 0, sizeof(dp)); |  |  |  |     memset(&dp, 0, sizeof(dp)); | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     result = DetectProtoInitTest(&de_ctx, &sig, &dp, "tcp"); |  |  |  |     FAIL_IF_NOT(DetectProtoInitTest(&de_ctx, &sig, &dp, "tcp")); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |     if (result == 0) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         goto end; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     result = 0; |  |  |  |  | 
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     /* The signature proto should be TCP */ |  |  |  |     /* The signature proto should be TCP */ | 
			
		
	
		
		
			
				
					
					|  |  |  |     if (!(sig->proto.proto[(IPPROTO_TCP/8)] & (1<<(IPPROTO_TCP%8)))) { |  |  |  |     FAIL_IF_NOT(sig->proto.proto[(IPPROTO_TCP / 8)] & (1 << (IPPROTO_TCP % 8))); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |          printf("failed in sig matching\n"); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         goto cleanup; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     for (i = 2; i < 256/8; i++) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         if (sig->proto.proto[i] != 0) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |             printf("failed in sig clear\n"); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |             goto cleanup; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     result = 1; |  |  |  |     for (i = 2; i < 256 / 8; i++) { | 
			
				
				
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |         FAIL_IF(sig->proto.proto[i] != 0); | 
			
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |     } | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | cleanup: |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     SigGroupCleanup(de_ctx); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     SigCleanSignatures(de_ctx); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     DetectEngineCtxFree(de_ctx); |  |  |  |     DetectEngineCtxFree(de_ctx); | 
			
		
	
		
		
			
				
					
					|  |  |  | end: |  |  |  | 
 | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |     return result; |  |  |  |     PASS; | 
			
				
				
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  | } |  |  |  | } | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | /**
 |  |  |  | /**
 | 
			
		
	
	
		
		
			
				
					|  |  | @ -381,75 +345,22 @@ static int DetectProtoTestSetup02(void) | 
			
		
	
		
		
			
				
					
					|  |  |  |     Signature *sig_icmpv6 = NULL; |  |  |  |     Signature *sig_icmpv6 = NULL; | 
			
		
	
		
		
			
				
					
					|  |  |  |     Signature *sig_icmp = NULL; |  |  |  |     Signature *sig_icmp = NULL; | 
			
		
	
		
		
			
				
					
					|  |  |  |     DetectEngineCtx *de_ctx = NULL; |  |  |  |     DetectEngineCtx *de_ctx = NULL; | 
			
		
	
		
		
			
				
					
					|  |  |  |     int result = 0; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     int i; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     memset(&dp, 0, sizeof(dp)); |  |  |  |     memset(&dp, 0, sizeof(dp)); | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     if (DetectProtoInitTest(&de_ctx, &sig_icmpv4, &dp, "icmpv4") == 0) { |  |  |  |     FAIL_IF(DetectProtoInitTest(&de_ctx, &sig_icmpv4, &dp, "icmpv4") == 0); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |         printf("failure - imcpv4.\n"); |  |  |  |     FAIL_IF(DetectProtoInitTest(&de_ctx, &sig_icmpv6, &dp, "icmpv6") == 0); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |         goto end; |  |  |  |     FAIL_IF(DetectProtoInitTest(&de_ctx, &sig_icmp, &dp, "icmp") == 0); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     if (DetectProtoInitTest(&de_ctx, &sig_icmpv6, &dp, "icmpv6") == 0) { |  |  |  |     FAIL_IF_NOT(sig_icmpv4->proto.proto[IPPROTO_ICMP / 8] & (1 << (IPPROTO_ICMP % 8))); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |         printf("failure - imcpv6.\n"); |  |  |  |     FAIL_IF_NOT(sig_icmpv6->proto.proto[IPPROTO_ICMPV6 / 8] & (1 << (IPPROTO_ICMPV6 % 8))); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |         goto end; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     if (DetectProtoInitTest(&de_ctx, &sig_icmp, &dp, "icmp") == 0) { |  |  |  |     FAIL_IF_NOT(sig_icmp->proto.proto[IPPROTO_ICMP / 8] & (1 << (IPPROTO_ICMP % 8))); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |         printf("failure - imcp.\n"); |  |  |  |     FAIL_IF_NOT(sig_icmp->proto.proto[IPPROTO_ICMPV6 / 8] & (1 << (IPPROTO_ICMPV6 % 8))); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |         goto end; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     for (i = 0; i < 256 / 8; i++) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         if (i == IPPROTO_ICMP) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |             if (!(sig_icmpv4->proto.proto[i / 8] & (1 << (i % 8)))) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |                 printf("failed in sig matching - icmpv4 - icmpv4.\n"); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |                 goto end; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |             } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |             continue; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         if (sig_icmpv4->proto.proto[i / 8] & (1 << (i % 8))) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |             printf("failed in sig matching - icmpv4 - others.\n"); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |             goto end; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     for (i = 0; i < 256 / 8; i++) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         if (i == IPPROTO_ICMPV6) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |             if (!(sig_icmpv6->proto.proto[i / 8] & (1 << (i % 8)))) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |                 printf("failed in sig matching - icmpv6 - icmpv6.\n"); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |                 goto end; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |             } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |             continue; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         if (sig_icmpv6->proto.proto[i / 8] & (1 << (i % 8))) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |             printf("failed in sig matching - icmpv6 - others.\n"); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |             goto end; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     for (i = 0; i < 256 / 8; i++) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         if (i == IPPROTO_ICMP || i == IPPROTO_ICMPV6) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |             if (!(sig_icmp->proto.proto[i / 8] & (1 << (i % 8)))) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |                 printf("failed in sig matching - icmp - icmp.\n"); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |                 goto end; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |             } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |             continue; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         if (sig_icmpv6->proto.proto[i / 8] & (1 << (i % 8))) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |             printf("failed in sig matching - icmp - others.\n"); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |             goto end; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     result = 1; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |  end: |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     SigGroupCleanup(de_ctx); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     SigCleanSignatures(de_ctx); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     DetectEngineCtxFree(de_ctx); |  |  |  |     DetectEngineCtxFree(de_ctx); | 
			
		
	
		
		
			
				
					
					|  |  |  |     return result; |  |  |  | 
 | 
			
				
				
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |     PASS; | 
			
		
	
		
		
			
				
					
					|  |  |  | } |  |  |  | } | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | /**
 |  |  |  | /**
 | 
			
		
	
	
		
		
			
				
					|  |  | @ -460,11 +371,8 @@ static int DetectProtoTestSetup02(void) | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | static int DetectProtoTestSig01(void) |  |  |  | static int DetectProtoTestSig01(void) | 
			
		
	
		
		
			
				
					
					|  |  |  | { |  |  |  | { | 
			
		
	
		
		
			
				
					
					|  |  |  |     Packet *p = NULL; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     Signature *s = NULL; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     ThreadVars th_v; |  |  |  |     ThreadVars th_v; | 
			
		
	
		
		
			
				
					
					|  |  |  |     DetectEngineThreadCtx *det_ctx; |  |  |  |     DetectEngineThreadCtx *det_ctx; | 
			
		
	
		
		
			
				
					
					|  |  |  |     int result = 0; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     Flow f; |  |  |  |     Flow f; | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     memset(&f, 0, sizeof(Flow)); |  |  |  |     memset(&f, 0, sizeof(Flow)); | 
			
		
	
	
		
		
			
				
					|  |  | @ -472,66 +380,47 @@ static int DetectProtoTestSig01(void) | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     FLOW_INITIALIZE(&f); |  |  |  |     FLOW_INITIALIZE(&f); | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); |  |  |  |     Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); | 
			
				
				
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |     FAIL_IF_NULL(p); | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     p->flow = &f; |  |  |  |     p->flow = &f; | 
			
		
	
		
		
			
				
					
					|  |  |  |     p->flowflags |= FLOW_PKT_TOSERVER; |  |  |  |     p->flowflags |= FLOW_PKT_TOSERVER; | 
			
		
	
		
		
			
				
					
					|  |  |  |     p->flags |= PKT_HAS_FLOW; |  |  |  |     p->flags |= PKT_HAS_FLOW; | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |  |  |  |     DetectEngineCtx *de_ctx = DetectEngineCtxInit(); | 
			
		
	
		
		
			
				
					
					|  |  |  |     if (de_ctx == NULL) { |  |  |  |     FAIL_IF_NULL(de_ctx); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |         goto end; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     de_ctx->flags |= DE_QUIET; |  |  |  |     de_ctx->flags |= DE_QUIET; | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     s = de_ctx->sig_list = SigInit(de_ctx,"alert udp any any -> any any " |  |  |  |     Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any " | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |             "(msg:\"Not tcp\"; flow:to_server; sid:1;)"); |  |  |  |                                                  "(msg:\"Not tcp\"; flow:to_server; sid:1;)"); | 
			
				
				
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |     FAIL_IF_NULL(s); | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     if (s == NULL) |  |  |  |     s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any " | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |         goto end; |  |  |  |                                       "(msg:\"IP\"; flow:to_server; sid:2;)"); | 
			
				
				
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |     FAIL_IF_NULL(s); | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     s = s->next = SigInit(de_ctx,"alert ip any any -> any any " |  |  |  |     s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any " | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |             "(msg:\"IP\"; flow:to_server; sid:2;)"); |  |  |  |                                       "(msg:\"TCP\"; flow:to_server; sid:3;)"); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  |     FAIL_IF_NULL(s); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |     if (s == NULL) |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         goto end; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     s = s->next = SigInit(de_ctx,"alert tcp any any -> any any " |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |             "(msg:\"TCP\"; flow:to_server; sid:3;)"); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     if (s == NULL) |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         goto end; |  |  |  |  | 
			
		
	
		
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     SigGroupBuild(de_ctx); |  |  |  |     SigGroupBuild(de_ctx); | 
			
		
	
		
		
			
				
					
					|  |  |  |     DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); |  |  |  |     DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |  |  |  |     SigMatchSignatures(&th_v, de_ctx, det_ctx, p); | 
			
		
	
		
		
			
				
					
					|  |  |  |     if (PacketAlertCheck(p, 1)) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         printf("sid 1 alerted, but should not have: "); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         goto cleanup; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } else if (PacketAlertCheck(p, 2) == 0) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         printf("sid 2 did not alert, but should have: "); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         goto cleanup; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } else if (PacketAlertCheck(p, 3) == 0) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         printf("sid 3 did not alert, but should have: "); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         goto cleanup; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     result = 1; |  |  |  |     FAIL_IF(PacketAlertCheck(p, 1)); | 
			
				
				
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |     FAIL_IF_NOT(PacketAlertCheck(p, 2)); | 
			
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |     FAIL_IF_NOT(PacketAlertCheck(p, 3)); | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | cleanup: |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     FLOW_DESTROY(&f); |  |  |  |     FLOW_DESTROY(&f); | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     SigGroupCleanup(de_ctx); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     SigCleanSignatures(de_ctx); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |  |  |  |     DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); | 
			
		
	
		
		
			
				
					
					|  |  |  |     DetectEngineCtxFree(de_ctx); |  |  |  |     DetectEngineCtxFree(de_ctx); | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     UTHFreePackets(&p, 1); |  |  |  |     UTHFreePackets(&p, 1); | 
			
		
	
		
		
			
				
					
					|  |  |  | end: |  |  |  | 
 | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |     return result; |  |  |  |     PASS; | 
			
				
				
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  | } |  |  |  | } | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | /**
 |  |  |  | /**
 | 
			
		
	
	
		
		
			
				
					|  |  | @ -540,36 +429,22 @@ end: | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | static int DetectProtoTestSig02(void) |  |  |  | static int DetectProtoTestSig02(void) | 
			
		
	
		
		
			
				
					
					|  |  |  | { |  |  |  | { | 
			
		
	
		
		
			
				
					
					|  |  |  |     Signature *s = NULL; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     int result = 0; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |  |  |  |     DetectEngineCtx *de_ctx = DetectEngineCtxInit(); | 
			
		
	
		
		
			
				
					
					|  |  |  |     if (de_ctx == NULL) { |  |  |  |     FAIL_IF_NULL(de_ctx); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |         goto end; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     de_ctx->flags |= DE_QUIET; |  |  |  |     de_ctx->flags |= DE_QUIET; | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp-pkt any any -> any any " |  |  |  |     Signature *s = DetectEngineAppendSig( | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |             "(msg:\"tcp-pkt\"; content:\"blah\"; sid:1;)"); |  |  |  |             de_ctx, "alert tcp-pkt any any -> any any (msg:\"tcp-pkt\"; content:\"blah\"; sid:1;)"); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |     if (s == NULL) { |  |  |  |     FAIL_IF_NULL(s); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |         printf("tcp-pkt sig parsing failed: "); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         goto end; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     s = s->next = SigInit(de_ctx,"alert tcp-stream any any -> any any " |  |  |  |     s = DetectEngineAppendSig(de_ctx, | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |             "(msg:\"tcp-stream\"; content:\"blah\"; sid:2;)"); |  |  |  |             "alert tcp-stream any any -> any any (msg:\"tcp-stream\"; content:\"blah\"; sid:2;)"); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |     if (s == NULL) { |  |  |  |     FAIL_IF_NULL(s); | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |         printf("tcp-pkt sig parsing failed: "); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         goto end; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     result = 1; |  |  |  |     DetectEngineCtxFree(de_ctx); | 
			
				
				
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | end: |  |  |  |     PASS; | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |     if (de_ctx != NULL) |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         DetectEngineCtxFree(de_ctx); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     return result; |  |  |  |  | 
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  | } |  |  |  | } | 
			
		
	
		
		
			
				
					
					|  |  |  | #endif /* UNITTESTS */ |  |  |  | #endif /* UNITTESTS */ | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
	
		
		
			
				
					|  |  | 
 |