« back to all changes in this revision
Viewing changes to src/detect-fast-pattern.c
- browse files at revision 27
- compare with another revision
- download diff
- download tarball
- view history from revision 27
- Committer: Package Import Robot
- Author(s): Pierre Chifflier
- Date: 2013-05-29 16:24:52 UTC
- mfrom: (1.1.20)
- Revision ID: package-import@ubuntu.com-20130529162452-kujdwfkf24i9qdfu
Tags: 1.4.2-1
ImportedĀ UpstreamĀ versionĀ 1.4.2
- files modified:
- ChangeLog
added
removed
src/detect-fast-pattern.c
16894
16894
16895
16895
de_ctx->flags |= DE_QUIET;
16896
16896
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
16897
"(content:\"one\"; http_host; nocase; "
16898
"content:!\"oneonetwo\"; fast_pattern:3,4; http_host; nocase; "
16899
"content:\"three\"; http_host; nocase; sid:1;)");
16897
"(content:\"one\"; http_host; "
16898
"content:!\"oneonetwo\"; fast_pattern:3,4; http_host; "
16899
"content:\"three\"; http_host; sid:1;)");
16900
16900
if (de_ctx->sig_list == NULL)
16901
16901
goto end;
16902
16902
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
16903
16903
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
16904
16904
ud->flags & DETECT_CONTENT_NEGATED &&
16905
ud->flags & DETECT_CONTENT_NOCASE &&
16906
16905
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
16907
16906
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
16908
16907
ud->fp_chop_offset == 3 &&
16932
16931
16933
16932
de_ctx->flags |= DE_QUIET;
16934
16933
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
16935
"(content:\"one\"; fast_pattern:only; http_host; nocase; "
16934
"(content:\"one\"; fast_pattern:only; http_host; "
16936
16935
"msg:\"Testing fast_pattern\"; sid:1;)");
16937
16936
if (de_ctx->sig_list == NULL)
16938
16937
goto end;
16941
16940
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH];
16942
16941
if (sm != NULL) {
16943
16942
if ( (((DetectContentData *)sm->ctx)->flags &
16944
DETECT_CONTENT_FAST_PATTERN) &&
16945
(((DetectContentData *)sm->ctx)->flags &
16946
DETECT_CONTENT_NOCASE)) {
16943
DETECT_CONTENT_FAST_PATTERN)) {
16947
16944
result = 1;
16948
16945
} else {
16949
16946
result = 0;
16971
16968
16972
16969
de_ctx->flags |= DE_QUIET;
16973
16970
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
16974
"(content:\"oneoneone\"; fast_pattern:3,4; http_host; nocase; "
16971
"(content:\"oneoneone\"; fast_pattern:3,4; http_host; "
16975
16972
"msg:\"Testing fast_pattern\"; sid:1;)");
16976
16973
if (de_ctx->sig_list == NULL)
16977
16974
goto end;
16980
16977
sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_HHHDMATCH];
16981
16978
if (sm != NULL) {
16982
16979
if ( (((DetectContentData *)sm->ctx)->flags &
16983
DETECT_CONTENT_FAST_PATTERN) &&
16984
(((DetectContentData *)sm->ctx)->flags &
16985
DETECT_CONTENT_NOCASE)) {
16980
DETECT_CONTENT_FAST_PATTERN)) {
16986
16981
result = 1;
16987
16982
} else {
16988
16983
result = 0;
17006
17001
17007
17002
de_ctx->flags |= DE_QUIET;
17008
17003
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17009
"(content:\"one\"; fast_pattern:only; http_host; nocase; sid:1;)");
17004
"(content:\"one\"; fast_pattern:only; http_host; sid:1;)");
17010
17005
if (de_ctx->sig_list == NULL)
17011
17006
goto end;
17012
17007
17016
17011
}
17017
17012
DetectContentData *ud = sm->ctx;
17018
17013
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
17019
ud->flags & DETECT_CONTENT_NOCASE &&
17020
17014
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
17021
17015
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
17022
17016
ud->fp_chop_offset == 0 &&
17043
17037
17044
17038
de_ctx->flags |= DE_QUIET;
17045
17039
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17046
"(content:\"oneoneone\"; fast_pattern:3,4; http_host; nocase; sid:1;)");
17040
"(content:\"oneoneone\"; fast_pattern:3,4; http_host; sid:1;)");
17047
17041
if (de_ctx->sig_list == NULL)
17048
17042
goto end;
17049
17043
17054
17048
17055
17049
DetectContentData *ud = sm->ctx;
17056
17050
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
17057
ud->flags & DETECT_CONTENT_NOCASE &&
17058
17051
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
17059
17052
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
17060
17053
ud->fp_chop_offset == 3 &&
17080
17073
17081
17074
de_ctx->flags |= DE_QUIET;
17082
17075
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17083
"(content:\"one\"; http_host; nocase; "
17084
"content:\"two\"; fast_pattern:only; http_host; distance:10; nocase; sid:1;)");
17076
"(content:\"one\"; http_host; "
17077
"content:\"two\"; fast_pattern:only; http_host; distance:10; sid:1;)");
17085
17078
if (de_ctx->sig_list != NULL)
17086
17079
goto end;
17087
17080
17103
17096
17104
17097
de_ctx->flags |= DE_QUIET;
17105
17098
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17106
"(content:\"one\"; http_host; nocase; "
17107
"content:\"two\"; distance:10; fast_pattern:only; http_host; nocase; sid:1;)");
17099
"(content:\"one\"; http_host; "
17100
"content:\"two\"; distance:10; fast_pattern:only; http_host; sid:1;)");
17108
17101
if (de_ctx->sig_list != NULL)
17109
17102
goto end;
17110
17103
17126
17119
17127
17120
de_ctx->flags |= DE_QUIET;
17128
17121
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17129
"(content:\"one\"; http_host; nocase; "
17130
"content:\"two\"; fast_pattern:only; http_host; within:10; nocase; sid:1;)");
17122
"(content:\"one\"; http_host; "
17123
"content:\"two\"; fast_pattern:only; http_host; within:10; sid:1;)");
17131
17124
if (de_ctx->sig_list != NULL)
17132
17125
goto end;
17133
17126
17149
17142
17150
17143
de_ctx->flags |= DE_QUIET;
17151
17144
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17152
"(content:\"one\"; http_host; nocase; "
17153
"content:\"two\"; within:10; fast_pattern:only; http_host; nocase; sid:1;)");
17145
"(content:\"one\"; http_host; "
17146
"content:\"two\"; within:10; fast_pattern:only; http_host; sid:1;)");
17154
17147
if (de_ctx->sig_list != NULL)
17155
17148
goto end;
17156
17149
17172
17165
17173
17166
de_ctx->flags |= DE_QUIET;
17174
17167
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17175
"(content:\"one\"; http_host; nocase; "
17176
"content:\"two\"; fast_pattern:only; http_host; offset:10; nocase; sid:1;)");
17168
"(content:\"one\"; http_host; "
17169
"content:\"two\"; fast_pattern:only; http_host; offset:10; sid:1;)");
17177
17170
if (de_ctx->sig_list != NULL)
17178
17171
goto end;
17179
17172
17195
17188
17196
17189
de_ctx->flags |= DE_QUIET;
17197
17190
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17198
"(content:\"one\"; http_host; nocase; "
17199
"content:\"two\"; offset:10; fast_pattern:only; http_host; nocase; sid:1;)");
17191
"(content:\"one\"; http_host; "
17192
"content:\"two\"; offset:10; fast_pattern:only; http_host; sid:1;)");
17200
17193
if (de_ctx->sig_list != NULL)
17201
17194
goto end;
17202
17195
17218
17211
17219
17212
de_ctx->flags |= DE_QUIET;
17220
17213
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17221
"(content:\"one\"; http_host; nocase; "
17222
"content:\"two\"; fast_pattern:only; http_host; depth:10; nocase; sid:1;)");
17214
"(content:\"one\"; http_host; "
17215
"content:\"two\"; fast_pattern:only; http_host; depth:10; sid:1;)");
17223
17216
if (de_ctx->sig_list != NULL)
17224
17217
goto end;
17225
17218
17241
17234
17242
17235
de_ctx->flags |= DE_QUIET;
17243
17236
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17244
"(content:\"one\"; http_host; nocase; "
17245
"content:\"two\"; depth:10; fast_pattern:only; http_host; nocase; sid:1;)");
17237
"(content:\"one\"; http_host; "
17238
"content:\"two\"; depth:10; fast_pattern:only; http_host; sid:1;)");
17246
17239
if (de_ctx->sig_list != NULL)
17247
17240
goto end;
17248
17241
17264
17257
17265
17258
de_ctx->flags |= DE_QUIET;
17266
17259
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17267
"(content:\"one\"; http_host; nocase; "
17268
"content:!\"two\"; fast_pattern:only; http_host; nocase; sid:1;)");
17260
"(content:\"one\"; http_host; "
17261
"content:!\"two\"; fast_pattern:only; http_host; sid:1;)");
17269
17262
if (de_ctx->sig_list != NULL)
17270
17263
goto end;
17271
17264
17287
17280
17288
17281
de_ctx->flags |= DE_QUIET;
17289
17282
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17290
"(content:\" one\"; http_host; nocase; "
17291
"content:\"two\"; http_host; distance:30; nocase; "
17292
"content:\"two\"; fast_pattern:only; http_host; nocase; sid:1;)");
17283
"(content:\" one\"; http_host; "
17284
"content:\"two\"; http_host; distance:30; "
17285
"content:\"two\"; fast_pattern:only; http_host; sid:1;)");
17293
17286
if (de_ctx->sig_list == NULL)
17294
17287
goto end;
17295
17288
17296
17289
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
17297
17290
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
17298
ud->flags & DETECT_CONTENT_NOCASE &&
17299
17291
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
17300
17292
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
17301
17293
ud->fp_chop_offset == 0 &&
17321
17313
17322
17314
de_ctx->flags |= DE_QUIET;
17323
17315
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17324
"(content:\"one\"; http_host; nocase; "
17325
"content:\"two\"; http_host; within:30; nocase; "
17326
"content:\"two\"; fast_pattern:only; http_host; nocase; sid:1;)");
17316
"(content:\"one\"; http_host; "
17317
"content:\"two\"; http_host; within:30; "
17318
"content:\"two\"; fast_pattern:only; http_host; sid:1;)");
17327
17319
if (de_ctx->sig_list == NULL)
17328
17320
goto end;
17329
17321
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
17330
17322
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
17331
ud->flags & DETECT_CONTENT_NOCASE &&
17332
17323
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
17333
17324
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
17334
17325
ud->fp_chop_offset == 0 &&
17354
17345
17355
17346
de_ctx->flags |= DE_QUIET;
17356
17347
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17357
"(content:\"one\"; http_host; nocase; "
17358
"content:\"two\"; http_host; offset:30; nocase; "
17359
"content:\"two\"; fast_pattern:only; http_host; nocase; sid:1;)");
17348
"(content:\"one\"; http_host; "
17349
"content:\"two\"; http_host; offset:30; "
17350
"content:\"two\"; fast_pattern:only; http_host; sid:1;)");
17360
17351
if (de_ctx->sig_list == NULL)
17361
17352
goto end;
17362
17353
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
17363
17354
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
17364
ud->flags & DETECT_CONTENT_NOCASE &&
17365
17355
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
17366
17356
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
17367
17357
ud->fp_chop_offset == 0 &&
17387
17377
17388
17378
de_ctx->flags |= DE_QUIET;
17389
17379
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17390
"(content:\"one\"; http_host; nocase; "
17391
"content:\"two\"; http_host; depth:30; nocase; "
17392
"content:\"two\"; fast_pattern:only; http_host; nocase; sid:1;)");
17380
"(content:\"one\"; http_host; "
17381
"content:\"two\"; http_host; depth:30; "
17382
"content:\"two\"; fast_pattern:only; http_host; sid:1;)");
17393
17383
if (de_ctx->sig_list == NULL)
17394
17384
goto end;
17395
17385
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
17396
17386
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
17397
ud->flags & DETECT_CONTENT_NOCASE &&
17398
17387
ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY &&
17399
17388
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
17400
17389
ud->fp_chop_offset == 0 &&
17420
17409
17421
17410
de_ctx->flags |= DE_QUIET;
17422
17411
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17423
"(content:!\"one\"; fast_pattern; http_host; nocase; "
17424
"content:\"two\"; http_host; nocase; sid:1;)");
17412
"(content:!\"one\"; fast_pattern; http_host; "
17413
"content:\"two\"; http_host; sid:1;)");
17425
17414
if (de_ctx->sig_list == NULL)
17426
17415
goto end;
17427
17416
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
17428
17417
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
17429
ud->flags & DETECT_CONTENT_NOCASE &&
17430
17418
ud->flags & DETECT_CONTENT_NEGATED &&
17431
17419
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
17432
17420
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) &&
17453
17441
17454
17442
de_ctx->flags |= DE_QUIET;
17455
17443
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17456
"(content:\"two\"; http_host; nocase; "
17457
"content:!\"one\"; fast_pattern; http_host; distance:20; nocase; sid:1;)");
17444
"(content:\"two\"; http_host; "
17445
"content:!\"one\"; fast_pattern; http_host; distance:20; sid:1;)");
17458
17446
if (de_ctx->sig_list != NULL)
17459
17447
goto end;
17460
17448
17476
17464
17477
17465
de_ctx->flags |= DE_QUIET;
17478
17466
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17479
"(content:\"two\"; http_host; nocase; "
17480
"content:!\"one\"; fast_pattern; http_host; within:20; nocase; sid:1;)");
17467
"(content:\"two\"; http_host; "
17468
"content:!\"one\"; fast_pattern; http_host; within:20; sid:1;)");
17481
17469
if (de_ctx->sig_list != NULL)
17482
17470
goto end;
17483
17471
17499
17487
17500
17488
de_ctx->flags |= DE_QUIET;
17501
17489
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17502
"(content:\"two\"; http_host; nocase; "
17503
"content:!\"one\"; fast_pattern; http_host; offset:20; nocase; sid:1;)");
17490
"(content:\"two\"; http_host; "
17491
"content:!\"one\"; fast_pattern; http_host; offset:20; sid:1;)");
17504
17492
if (de_ctx->sig_list != NULL)
17505
17493
goto end;
17506
17494
17522
17510
17523
17511
de_ctx->flags |= DE_QUIET;
17524
17512
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17525
"(content:\"two\"; http_host; nocase; "
17526
"content:!\"one\"; fast_pattern; http_host; depth:20; nocase; sid:1;)");
17513
"(content:\"two\"; http_host; "
17514
"content:!\"one\"; fast_pattern; http_host; depth:20; sid:1;)");
17527
17515
if (de_ctx->sig_list != NULL)
17528
17516
goto end;
17529
17517
17545
17533
17546
17534
de_ctx->flags |= DE_QUIET;
17547
17535
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17548
"(content:\"one\"; http_host; nocase; "
17549
"content:\"oneonetwo\"; fast_pattern:3,4; http_host; nocase; "
17550
"content:\"three\"; http_host; nocase; sid:1;)");
17536
"(content:\"one\"; http_host; "
17537
"content:\"oneonetwo\"; fast_pattern:3,4; http_host; "
17538
"content:\"three\"; http_host; sid:1;)");
17551
17539
if (de_ctx->sig_list == NULL)
17552
17540
goto end;
17553
17541
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
17554
17542
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
17555
ud->flags & DETECT_CONTENT_NOCASE &&
17556
17543
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
17557
17544
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
17558
17545
ud->fp_chop_offset == 3 &&
17578
17565
17579
17566
de_ctx->flags |= DE_QUIET;
17580
17567
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17581
"(content:\"one\"; http_host; nocase; "
17582
"content:\"oneonetwo\"; fast_pattern:3,4; http_host; nocase; "
17583
"content:\"three\"; http_host; distance:30; nocase; sid:1;)");
17568
"(content:\"one\"; http_host; "
17569
"content:\"oneonetwo\"; fast_pattern:3,4; http_host; "
17570
"content:\"three\"; http_host; distance:30; sid:1;)");
17584
17571
if (de_ctx->sig_list == NULL)
17585
17572
goto end;
17586
17573
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
17587
17574
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
17588
ud->flags & DETECT_CONTENT_NOCASE &&
17589
17575
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
17590
17576
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
17591
17577
ud->fp_chop_offset == 3 &&
17611
17597
17612
17598
de_ctx->flags |= DE_QUIET;
17613
17599
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17614
"(content:\"one\"; http_host; nocase; "
17615
"content:\"oneonetwo\"; fast_pattern:3,4; http_host; nocase; "
17616
"content:\"three\"; http_host; within:30; nocase; sid:1;)");
17600
"(content:\"one\"; http_host; "
17601
"content:\"oneonetwo\"; fast_pattern:3,4; http_host; "
17602
"content:\"three\"; http_host; within:30; sid:1;)");
17617
17603
if (de_ctx->sig_list == NULL)
17618
17604
goto end;
17619
17605
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
17620
17606
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
17621
ud->flags & DETECT_CONTENT_NOCASE &&
17622
17607
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
17623
17608
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
17624
17609
ud->fp_chop_offset == 3 &&
17644
17629
17645
17630
de_ctx->flags |= DE_QUIET;
17646
17631
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17647
"(content:\"one\"; http_host; nocase; "
17648
"content:\"oneonetwo\"; fast_pattern:3,4; http_host; nocase; "
17649
"content:\"three\"; http_host; offset:30; nocase; sid:1;)");
17632
"(content:\"one\"; http_host; "
17633
"content:\"oneonetwo\"; fast_pattern:3,4; http_host; "
17634
"content:\"three\"; http_host; offset:30; sid:1;)");
17650
17635
if (de_ctx->sig_list == NULL)
17651
17636
goto end;
17652
17637
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
17653
17638
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
17654
ud->flags & DETECT_CONTENT_NOCASE &&
17655
17639
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
17656
17640
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
17657
17641
ud->fp_chop_offset == 3 &&
17677
17661
17678
17662
de_ctx->flags |= DE_QUIET;
17679
17663
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17680
"(content:\"one\"; http_host; nocase; "
17681
"content:\"oneonetwo\"; fast_pattern:3,4; http_host; nocase; "
17682
"content:\"three\"; http_host; depth:30; nocase; sid:1;)");
17664
"(content:\"one\"; http_host; "
17665
"content:\"oneonetwo\"; fast_pattern:3,4; http_host; "
17666
"content:\"three\"; http_host; depth:30; sid:1;)");
17683
17667
if (de_ctx->sig_list == NULL)
17684
17668
goto end;
17685
17669
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
17686
17670
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
17687
ud->flags & DETECT_CONTENT_NOCASE &&
17688
17671
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
17689
17672
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
17690
17673
ud->fp_chop_offset == 3 &&
17710
17693
17711
17694
de_ctx->flags |= DE_QUIET;
17712
17695
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17713
"(content:\"one\"; http_host; nocase; "
17714
"content:\"two\"; http_host; distance:10; nocase; "
17715
"content:\"oneonethree\"; fast_pattern:3,4; http_host; nocase; sid:1;)");
17696
"(content:\"one\"; http_host; "
17697
"content:\"two\"; http_host; distance:10; "
17698
"content:\"oneonethree\"; fast_pattern:3,4; http_host; sid:1;)");
17716
17699
if (de_ctx->sig_list == NULL)
17717
17700
goto end;
17718
17701
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
17719
17702
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
17720
ud->flags & DETECT_CONTENT_NOCASE &&
17721
17703
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
17722
17704
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
17723
17705
ud->fp_chop_offset == 3 &&
17743
17725
17744
17726
de_ctx->flags |= DE_QUIET;
17745
17727
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17746
"(content:\"one\"; http_host; nocase; "
17747
"content:\"two\"; http_host; within:10; nocase; "
17748
"content:\"oneonethree\"; fast_pattern:3,4; http_host; nocase; sid:1;)");
17728
"(content:\"one\"; http_host; "
17729
"content:\"two\"; http_host; within:10; "
17730
"content:\"oneonethree\"; fast_pattern:3,4; http_host; sid:1;)");
17749
17731
if (de_ctx->sig_list == NULL)
17750
17732
goto end;
17751
17733
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
17752
17734
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
17753
ud->flags & DETECT_CONTENT_NOCASE &&
17754
17735
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
17755
17736
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
17756
17737
ud->fp_chop_offset == 3 &&
17776
17757
17777
17758
de_ctx->flags |= DE_QUIET;
17778
17759
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17779
"(content:\"one\"; http_host; nocase; "
17780
"content:\"two\"; http_host; offset:10; nocase; "
17781
"content:\"oneonethree\"; fast_pattern:3,4; http_host; nocase; sid:1;)");
17760
"(content:\"one\"; http_host; "
17761
"content:\"two\"; http_host; offset:10; "
17762
"content:\"oneonethree\"; fast_pattern:3,4; http_host; sid:1;)");
17782
17763
if (de_ctx->sig_list == NULL)
17783
17764
goto end;
17784
17765
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
17785
17766
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
17786
ud->flags & DETECT_CONTENT_NOCASE &&
17787
17767
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
17788
17768
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
17789
17769
ud->fp_chop_offset == 3 &&
17809
17789
17810
17790
de_ctx->flags |= DE_QUIET;
17811
17791
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17812
"(content:\"one\"; http_host; nocase; "
17813
"content:\"two\"; http_host; depth:10; nocase; "
17814
"content:\"oneonethree\"; fast_pattern:3,4; http_host; nocase; sid:1;)");
17792
"(content:\"one\"; http_host; "
17793
"content:\"two\"; http_host; depth:10; "
17794
"content:\"oneonethree\"; fast_pattern:3,4; http_host; sid:1;)");
17815
17795
if (de_ctx->sig_list == NULL)
17816
17796
goto end;
17817
17797
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->ctx;
17818
17798
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
17819
ud->flags & DETECT_CONTENT_NOCASE &&
17820
17799
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
17821
17800
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
17822
17801
ud->fp_chop_offset == 3 &&
17845
17824
17846
17825
de_ctx->flags |= DE_QUIET;
17847
17826
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17848
"(content:\"one\"; http_host; nocase; "
17849
"content:\"two\"; fast_pattern:65977,4; http_host; nocase; "
17850
"content:\"three\"; http_host; distance:10; nocase; sid:1;)");
17827
"(content:\"one\"; http_host; "
17828
"content:\"two\"; fast_pattern:65977,4; http_host; "
17829
"content:\"three\"; http_host; distance:10; sid:1;)");
17851
17830
if (de_ctx->sig_list != NULL)
17852
17831
goto end;
17853
17832
17869
17848
17870
17849
de_ctx->flags |= DE_QUIET;
17871
17850
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17872
"(content:\"one\"; http_host; nocase; "
17873
"content:\"oneonetwo\"; fast_pattern:3,65977; http_host; nocase; "
17874
"content:\"three\"; distance:10; http_host; nocase; sid:1;)");
17851
"(content:\"one\"; http_host; "
17852
"content:\"oneonetwo\"; fast_pattern:3,65977; http_host; "
17853
"content:\"three\"; distance:10; http_host; sid:1;)");
17875
17854
if (de_ctx->sig_list != NULL)
17876
17855
goto end;
17877
17856
17893
17872
17894
17873
de_ctx->flags |= DE_QUIET;
17895
17874
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17896
"(content:\"one\"; http_host; nocase; "
17897
"content:\"two\"; fast_pattern:65534,4; http_host; nocase; "
17898
"content:\"three\"; http_host; distance:10; nocase; sid:1;)");
17875
"(content:\"one\"; http_host; "
17876
"content:\"two\"; fast_pattern:65534,4; http_host; "
17877
"content:\"three\"; http_host; distance:10; sid:1;)");
17899
17878
if (de_ctx->sig_list != NULL)
17900
17879
goto end;
17901
17880
17917
17896
17918
17897
de_ctx->flags |= DE_QUIET;
17919
17898
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17920
"(content:\"one\"; http_host; nocase; "
17921
"content:!\"oneonetwo\"; fast_pattern:3,4; http_host; nocase; "
17922
"content:\"three\"; http_host; nocase; sid:1;)");
17899
"(content:\"one\"; http_host; "
17900
"content:!\"oneonetwo\"; fast_pattern:3,4; http_host; "
17901
"content:\"three\"; http_host; sid:1;)");
17923
17902
if (de_ctx->sig_list == NULL)
17924
17903
goto end;
17925
17904
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
17926
17905
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
17927
ud->flags & DETECT_CONTENT_NOCASE &&
17928
17906
ud->flags & DETECT_CONTENT_NEGATED &&
17929
17907
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
17930
17908
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
17951
17929
17952
17930
de_ctx->flags |= DE_QUIET;
17953
17931
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17954
"(content:\"one\"; http_host; nocase; "
17955
"content:!\"oneonetwo\"; fast_pattern:3,4; http_host; distance:10; nocase; "
17956
"content:\"three\"; http_host; nocase; sid:1;)");
17932
"(content:\"one\"; http_host; "
17933
"content:!\"oneonetwo\"; fast_pattern:3,4; http_host; distance:10; "
17934
"content:\"three\"; http_host; sid:1;)");
17957
17935
if (de_ctx->sig_list != NULL)
17958
17936
goto end;
17959
17937
17975
17953
17976
17954
de_ctx->flags |= DE_QUIET;
17977
17955
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
17978
"(content:\"one\"; http_host; nocase; "
17979
"content:!\"oneonetwo\"; fast_pattern:3,4; http_host; within:10; nocase; "
17980
"content:\"three\"; http_host; nocase; sid:1;)");
17956
"(content:\"one\"; http_host; "
17957
"content:!\"oneonetwo\"; fast_pattern:3,4; http_host; within:10; "
17958
"content:\"three\"; http_host; sid:1;)");
17981
17959
if (de_ctx->sig_list != NULL)
17982
17960
goto end;
17983
17961
17999
17977
18000
17978
de_ctx->flags |= DE_QUIET;
18001
17979
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
18002
"(content:\"one\"; http_host; nocase; "
18003
"content:!\"oneonetwo\"; fast_pattern:3,4; http_host; offset:10; nocase; "
18004
"content:\"three\"; http_host; nocase; sid:1;)");
17980
"(content:\"one\"; http_host; "
17981
"content:!\"oneonetwo\"; fast_pattern:3,4; http_host; offset:10; "
17982
"content:\"three\"; http_host; sid:1;)");
18005
17983
if (de_ctx->sig_list != NULL)
18006
17984
goto end;
18007
17985
18023
18001
18024
18002
de_ctx->flags |= DE_QUIET;
18025
18003
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
18026
"(content:\"one\"; http_host; nocase; "
18027
"content:!\"oneonetwo\"; fast_pattern:3,4; http_host; depth:10; nocase; "
18028
"content:\"three\"; http_host; nocase; sid:1;)");
18004
"(content:\"one\"; http_host; "
18005
"content:!\"oneonetwo\"; fast_pattern:3,4; http_host; depth:10; "
18006
"content:\"three\"; http_host; sid:1;)");
18029
18007
if (de_ctx->sig_list != NULL)
18030
18008
goto end;
18031
18009
18047
18025
18048
18026
de_ctx->flags |= DE_QUIET;
18049
18027
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
18050
"(content:\"one\"; http_host; nocase; "
18051
"content:!\"oneonetwo\"; fast_pattern:3,4; http_host; nocase; "
18052
"content:\"three\"; http_host; nocase; sid:1;)");
18028
"(content:\"one\"; http_host; "
18029
"content:!\"oneonetwo\"; fast_pattern:3,4; http_host; "
18030
"content:\"three\"; http_host; sid:1;)");
18053
18031
if (de_ctx->sig_list == NULL)
18054
18032
goto end;
18055
18033
DetectContentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH]->prev->ctx;
18056
18034
if (ud->flags & DETECT_CONTENT_FAST_PATTERN &&
18057
ud->flags & DETECT_CONTENT_NOCASE &&
18058
18035
ud->flags & DETECT_CONTENT_NEGATED &&
18059
18036
!(ud->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) &&
18060
18037
ud->flags & DETECT_CONTENT_FAST_PATTERN_CHOP &&
Loggerhead is a web-based interface for Breezy
Version: 2.0.1