« back to all changes in this revision
Viewing changes to src/detect.c
- browse files at revision 14
- compare with another revision
- download diff
- download tarball
- view history from revision 14
- Committer: Package Import Robot
- Author(s): Pierre Chifflier
- Date: 2011-11-17 23:20:51 UTC
- mfrom: (1.1.10)
- Revision ID: package-import@ubuntu.com-20111117232051-wlo0g2fyinx0zi25
Tags: 1.1-1
* Imported Upstream version 1.1
* Add instructions on getting new rules using oinkmaster
* Add Recommends on oinkmaster
* Move snort-rules-default to Recommends
* Add instructions on getting new rules using oinkmaster
* Add Recommends on oinkmaster
* Move snort-rules-default to Recommends
- files added:
- qa
- qa/coccinelle
- rules
- files removed:
- src/alert-unified-alert.c
- files modified:
- ChangeLog
added
removed
src/detect.c
1
/* Copyright (C) 2007-2010 Open Information Security Foundation
1
/* Copyright (C) 2007-2011 Open Information Security Foundation
2
2
*
3
3
* You can copy, redistribute or modify this Program under the terms of
4
4
* the GNU General Public License version 2 as published by the Free
50
50
#include "detect-http-cookie.h"
51
51
#include "detect-http-method.h"
52
52
53
#include "detect-decode-event.h"
53
#include "detect-engine-event.h"
54
54
#include "decode.h"
55
55
56
56
#include "detect-ipopts.h"
112
112
#include "detect-detection-filter.h"
113
113
#include "detect-http-client-body.h"
114
114
#include "detect-http-header.h"
115
#include "detect-http-raw-header.h"
115
116
#include "detect-http-uri.h"
117
#include "detect-http-raw-uri.h"
118
#include "detect-http-stat-msg.h"
119
#include "detect-engine-hcbd.h"
120
#include "detect-engine-hhd.h"
121
#include "detect-engine-hrhd.h"
122
#include "detect-engine-hmd.h"
123
#include "detect-engine-hcd.h"
124
#include "detect-engine-hrud.h"
125
#include "detect-byte-extract.h"
126
#include "detect-replace.h"
116
127
117
128
#include "util-rule-vars.h"
118
129
122
133
#include "detect-tls-version.h"
123
134
#include "detect-ssh-proto-version.h"
124
135
#include "detect-ssh-software-version.h"
136
#include "detect-http-stat-code.h"
137
#include "detect-ssl-version.h"
138
#include "detect-ssl-state.h"
125
139
126
140
#include "action-globals.h"
127
#include "tm-modules.h"
141
#include "tm-threads.h"
128
142
129
143
#include "pkt-var.h"
130
144
134
148
#include "conf-yaml-loader.h"
135
149
136
150
#include "stream-tcp.h"
151
#include "stream-tcp-inline.h"
137
152
138
153
#include "util-classification-config.h"
139
154
#include "util-print.h"
147
162
#include "util-privs.h"
148
163
#include "util-profiling.h"
149
164
#include "util-validate.h"
165
#include "util-optimize.h"
166
#include "util-vector.h"
150
167
151
168
extern uint8_t engine_mode;
152
169
170
extern int engine_analysis;
171
static int fp_engine_analysis_set = 0;
172
static FILE *fp_engine_analysis_FD = NULL;
173
153
174
SigMatch *SigMatchAlloc(void);
154
175
void DetectExitPrintStats(ThreadVars *tv, void *data);
155
176
156
177
void DbgPrintSigs(DetectEngineCtx *, SigGroupHead *);
157
178
void DbgPrintSigs2(DetectEngineCtx *, SigGroupHead *);
179
static void PacketCreateMask(Packet *p, SignatureMask *mask, uint16_t alproto, void *alstate, StreamMsg *smsg);
158
180
159
181
/* tm module api functions */
160
182
TmEcode Detect(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
169
191
tmm_modules[TMM_DETECT].ThreadDeinit = DetectThreadDeinit;
170
192
tmm_modules[TMM_DETECT].RegisterTests = SigRegisterTests;
171
193
tmm_modules[TMM_DETECT].cap_flags = 0;
194
195
PacketAlertTagInit();
172
196
}
173
197
174
198
void DetectExitPrintStats(ThreadVars *tv, void *data) {
175
199
DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data;
176
200
if (det_ctx == NULL)
177
201
return;
178
#if 0
179
SCLogInfo("(%s) (1byte) Pkts %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
180
tv->name, det_ctx->pkts, det_ctx->pkts_searched1,
181
(float)(det_ctx->pkts_searched1/(float)(det_ctx->pkts)*100));
182
SCLogInfo("(%s) (2byte) Pkts %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
183
tv->name, det_ctx->pkts, det_ctx->pkts_searched2,
184
(float)(det_ctx->pkts_searched2/(float)(det_ctx->pkts)*100));
185
SCLogInfo("(%s) (3byte) Pkts %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
186
tv->name, det_ctx->pkts, det_ctx->pkts_searched3,
187
(float)(det_ctx->pkts_searched3/(float)(det_ctx->pkts)*100));
188
SCLogInfo("(%s) (4byte) Pkts %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
189
tv->name, det_ctx->pkts, det_ctx->pkts_searched4,
190
(float)(det_ctx->pkts_searched4/(float)(det_ctx->pkts)*100));
191
SCLogInfo("(%s) (+byte) Pkts %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
192
tv->name, det_ctx->pkts, det_ctx->pkts_searched,
193
(float)(det_ctx->pkts_searched/(float)(det_ctx->pkts)*100));
194
195
SCLogInfo("(%s) URI (1byte) Uri's %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
196
tv->name, det_ctx->uris, det_ctx->pkts_uri_searched1,
197
(float)(det_ctx->pkts_uri_searched1/(float)(det_ctx->uris)*100));
198
SCLogInfo("(%s) URI (2byte) Uri's %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
199
tv->name, det_ctx->uris, det_ctx->pkts_uri_searched2,
200
(float)(det_ctx->pkts_uri_searched2/(float)(det_ctx->uris)*100));
201
SCLogInfo("(%s) URI (3byte) Uri's %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
202
tv->name, det_ctx->uris, det_ctx->pkts_uri_searched3,
203
(float)(det_ctx->pkts_uri_searched3/(float)(det_ctx->uris)*100));
204
SCLogInfo("(%s) URI (4byte) Uri's %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
205
tv->name, det_ctx->uris, det_ctx->pkts_uri_searched4,
206
(float)(det_ctx->pkts_uri_searched4/(float)(det_ctx->uris)*100));
207
SCLogInfo("(%s) URI (+byte) Uri's %" PRIu32 ", Searched %" PRIu32 " (%02.1f).",
208
tv->name, det_ctx->uris, det_ctx->pkts_uri_searched,
209
(float)(det_ctx->pkts_uri_searched/(float)(det_ctx->uris)*100));
210
#endif
211
202
}
212
203
213
204
/** \brief Create the path if default-rule-path was specified
241
232
return path;
242
233
}
243
234
235
static inline void EngineAnalysisWriteFastPattern(Signature *s, SigMatch *mpm_sm)
236
{
237
int fast_pattern_set = 0;
238
int fast_pattern_only_set = 0;
239
int fast_pattern_chop_set = 0;
240
DetectContentData *fp_cd = NULL;
241
242
if (mpm_sm != NULL) {
243
fp_cd = (DetectContentData *)mpm_sm->ctx;
244
if (fp_cd->flags & DETECT_CONTENT_FAST_PATTERN) {
245
fast_pattern_set = 1;
246
if (fp_cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
247
fast_pattern_only_set = 1;
248
} else if (fp_cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
249
fast_pattern_chop_set = 1;
250
}
251
}
252
}
253
254
if (fp_cd == NULL) {
255
fprintf(fp_engine_analysis_FD, "== Sid: %u ==\n", s->id);
256
fprintf(fp_engine_analysis_FD, " No content present\n");
257
return;
258
}
259
260
fprintf(fp_engine_analysis_FD, "== Sid: %u ==\n", s->id);
261
fprintf(fp_engine_analysis_FD, " Fast pattern matcher: ");
262
if (mpm_sm->type == DETECT_CONTENT)
263
fprintf(fp_engine_analysis_FD, "content\n");
264
else if (mpm_sm->type == DETECT_URICONTENT)
265
fprintf(fp_engine_analysis_FD, "uricontent\n");
266
else if (mpm_sm->type == DETECT_AL_HTTP_CLIENT_BODY)
267
fprintf(fp_engine_analysis_FD, "http_client_body\n");
268
else if (mpm_sm->type == DETECT_AL_HTTP_HEADER)
269
fprintf(fp_engine_analysis_FD, "http_header\n");
270
else if (mpm_sm->type == DETECT_AL_HTTP_RAW_HEADER)
271
fprintf(fp_engine_analysis_FD, "http_raw_header\n");
272
fprintf(fp_engine_analysis_FD, " Fast pattern set: %s\n", fast_pattern_set ? "yes" : "no");
273
fprintf(fp_engine_analysis_FD, " Fast pattern only set: %s\n",
274
fast_pattern_only_set ? "yes" : "no");
275
fprintf(fp_engine_analysis_FD, " Fast pattern chop set: %s\n",
276
fast_pattern_chop_set ? "yes" : "no");
277
if (fast_pattern_chop_set) {
278
fprintf(fp_engine_analysis_FD, " Fast pattern offset, length: %u, %u\n",
279
fp_cd->fp_chop_offset, fp_cd->fp_chop_len);
280
}
281
fprintf(fp_engine_analysis_FD, " Content negated: %s\n",
282
(fp_cd->flags & DETECT_CONTENT_NEGATED) ? "yes" : "no");
283
284
uint16_t patlen = fp_cd->content_len;
285
uint8_t *pat = SCMalloc(fp_cd->content_len + 1);
286
if (pat == NULL) {
287
SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
288
exit(EXIT_FAILURE);
289
}
290
memcpy(pat, fp_cd->content, fp_cd->content_len);
291
pat[fp_cd->content_len] = '\0';
292
fprintf(fp_engine_analysis_FD, " Original content: ");
293
PrintRawUriFp(fp_engine_analysis_FD, pat, patlen);
294
fprintf(fp_engine_analysis_FD, "\n");
295
296
if (fast_pattern_chop_set) {
297
SCFree(pat);
298
patlen = fp_cd->fp_chop_len;
299
pat = SCMalloc(fp_cd->fp_chop_len + 1);
300
if (pat == NULL) {
301
exit(EXIT_FAILURE);
302
}
303
memcpy(pat, fp_cd->content + fp_cd->fp_chop_offset, fp_cd->fp_chop_len);
304
pat[fp_cd->fp_chop_len] = '\0';
305
fprintf(fp_engine_analysis_FD, " Final content: ");
306
PrintRawUriFp(fp_engine_analysis_FD, pat, patlen);
307
fprintf(fp_engine_analysis_FD, "\n");
308
} else {
309
fprintf(fp_engine_analysis_FD, " Final content: ");
310
PrintRawUriFp(fp_engine_analysis_FD, pat, patlen);
311
fprintf(fp_engine_analysis_FD, "\n");
312
}
313
SCFree(pat);
314
315
return;
316
}
317
318
/**
319
* \brief Prints analysis of fast pattern for a signature.
320
*
321
* The code here mimics the logic to select fast_pattern from staging.
322
* If any changes are made to the staging logic, this should follow suit.
323
*
324
* \param s Pointer to the signature.
325
*/
326
void EngineAnalysisFastPattern(Signature *s)
327
{
328
SigMatch *mpm_sm = NULL;
329
uint32_t fast_pattern = 0;
330
int list_id = 0;
331
332
for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
333
/* we have no keywords that support fp in this Signature sm list */
334
if (!FastPatternSupportEnabledForSigMatchList(list_id))
335
continue;
336
337
SigMatch *sm = NULL;
338
/* get the total no of patterns in this Signature, as well as find out
339
* if we have a fast_pattern set in this Signature */
340
for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) {
341
/* this keyword isn't registered for fp support */
342
if (!FastPatternSupportEnabledForSigMatchType(sm->type))
343
continue;
344
345
DetectContentData *cd = (DetectContentData *)sm->ctx;
346
if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
347
fast_pattern = 1;
348
break;
349
}
350
} /* for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) */
351
352
/* found a fast pattern for the sig. Let's get outta here */
353
if (fast_pattern)
354
break;
355
} /* for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) */
356
357
int max_len = 0;
358
/* get the longest pattern in the sig */
359
if (!fast_pattern) {
360
SigMatch *sm = NULL;
361
for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
362
if (!FastPatternSupportEnabledForSigMatchList(list_id))
363
continue;
364
365
for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) {
366
if (!FastPatternSupportEnabledForSigMatchType(sm->type))
367
continue;
368
369
DetectContentData *cd = (DetectContentData *)sm->ctx;
370
if (max_len < cd->content_len)
371
max_len = cd->content_len;
372
}
373
}
374
}
375
376
SigMatch *sm = NULL;
377
for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
378
if (!FastPatternSupportEnabledForSigMatchList(list_id))
379
continue;
380
381
for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) {
382
if (!FastPatternSupportEnabledForSigMatchType(sm->type))
383
continue;
384
385
/* skip in case of:
386
* 1. we expect a fastpattern but this isn't it */
387
if (fast_pattern) {
388
/* can be any content based keyword since all of them
389
* now use a unified structure - DetectContentData */
390
DetectContentData *cd = (DetectContentData *)sm->ctx;
391
if (!(cd->flags & DETECT_CONTENT_FAST_PATTERN)) {
392
SCLogDebug("not a fast pattern %"PRIu32"", cd->id);
393
continue;
394
}
395
SCLogDebug("fast pattern %"PRIu32"", cd->id);
396
} else {
397
DetectContentData *cd = (DetectContentData *)sm->ctx;
398
if (cd->content_len < max_len)
399
continue;
400
401
} /* else - if (fast_pattern[sig] == 1) */
402
403
if (mpm_sm == NULL) {
404
mpm_sm = sm;
405
if (fast_pattern)
406
break;
407
} else {
408
DetectContentData *data1 = (DetectContentData *)sm->ctx;
409
DetectContentData *data2 = (DetectContentData *)mpm_sm->ctx;
410
uint32_t ls = PatternStrength(data1->content, data1->content_len);
411
uint32_t ss = PatternStrength(data2->content, data2->content_len);
412
if (ls > ss) {
413
mpm_sm = sm;
414
} else if (ls == ss) {
415
/* if 2 patterns are of equal strength, we pick the longest */
416
if (data1->content_len > data2->content_len)
417
mpm_sm = sm;
418
} else {
419
SCLogDebug("sticking with mpm_sm");
420
}
421
} /* else - if (mpm == NULL) */
422
} /* for (sm = s->sm_lists[list_id]; sm != NULL; sm = sm->next) */
423
if (mpm_sm != NULL && fast_pattern)
424
break;
425
} /* for ( ; list_id < DETECT_SM_LIST_MAX; list_id++) */
426
427
/* output result to file */
428
EngineAnalysisWriteFastPattern(s, mpm_sm);
429
430
return;
431
}
432
244
433
/**
245
434
* \brief Load a file with signatures
246
435
* \param de_ctx Pointer to the detection engine context
300
489
sig = DetectEngineAppendSig(de_ctx, line);
301
490
(*sigs_tot)++;
302
491
if (sig != NULL) {
492
if (fp_engine_analysis_set) {
493
EngineAnalysisFastPattern(sig);
494
}
303
495
SCLogDebug("signature %"PRIu32" loaded", sig->id);
304
496
good++;
305
497
} else {
323
515
* \param sig_file Filename holding signatures
324
516
* \retval -1 on error
325
517
*/
326
int SigLoadSignatures (DetectEngineCtx *de_ctx, char *sig_file)
518
int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file)
327
519
{
328
520
SCEnter();
329
521
335
527
int cntf = 0;
336
528
int sigtotal = 0;
337
529
char *sfile = NULL;
338
Signature *s = NULL;
339
SigIntId sig_id = 0;
530
531
/* needed by engine_analysis */
532
char log_path[256];
533
534
if (engine_analysis) {
535
if ((ConfGetBool("engine-analysis.rules-fast-pattern",
536
&fp_engine_analysis_set)) == 0) {
537
SCLogInfo("Conf parameter \"engine-analysis.rules-fast-pattern\" not "
538
"found. Defaulting to not printing the fast_pattern "
539
"report.");
540
fp_engine_analysis_set = 0;
541
}
542
543
if (fp_engine_analysis_set) {
544
char *log_dir;
545
if (ConfGet("default-log-dir", &log_dir) != 1)
546
log_dir = DEFAULT_LOG_DIR;
547
snprintf(log_path, 256, "%s/%s", log_dir, "rules_fast_pattern.txt");
548
549
fp_engine_analysis_FD = fopen(log_path, "w");
550
if (fp_engine_analysis_FD == NULL) {
551
SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", log_path,
552
strerror(errno));
553
return -1;
554
}
555
struct timeval tval;
556
struct tm *tms;
557
gettimeofday(&tval, NULL);
558
struct tm local_tm;
559
tms = (struct tm *)localtime_r(&tval.tv_sec, &local_tm);
560
fprintf(fp_engine_analysis_FD, "----------------------------------------------"
561
"---------------------\n");
562
fprintf(fp_engine_analysis_FD, "Date: %" PRId32 "/%" PRId32 "/%04d -- "
563
"%02d:%02d:%02d\n",
564
tms->tm_mday, tms->tm_mon + 1, tms->tm_year + 1900, tms->tm_hour,
565
tms->tm_min, tms->tm_sec);
566
fprintf(fp_engine_analysis_FD, "----------------------------------------------"
567
"---------------------\n");
568
} else {
569
SCLogInfo("Engine-Analysis for fast_pattern disabled in conf file.");
570
}
571
}
340
572
341
573
/* ok, let's load signature files from the general config */
342
574
rule_files = ConfGetNode("rule-files");
350
582
if (r > 0) {
351
583
cnt += r;
352
584
} else if (r == 0){
353
SCLogError(SC_ERR_NO_RULES, "No rules loaded from %s", sfile);
585
SCLogWarning(SC_ERR_NO_RULES, "No rules loaded from %s", sfile);
354
586
if (de_ctx->failure_fatal == 1) {
355
587
exit(EXIT_FAILURE);
356
588
}
384
616
385
617
/* now we should have signatures to work with */
386
618
if (cnt <= 0) {
387
SCLogError(SC_ERR_NO_RULES_LOADED, "%d rule files specified, but no rule was loaded at all!", cntf);
388
if (de_ctx->failure_fatal == 1) {
389
exit(EXIT_FAILURE);
619
if (cntf > 0) {
620
SCLogError(SC_ERR_NO_RULES_LOADED, "%d rule files specified, but no rule was loaded at all!", cntf);
621
if (de_ctx->failure_fatal == 1) {
622
exit(EXIT_FAILURE);
623
}
624
ret = -1;
625
} else {
626
SCLogInfo("No signatures supplied.");
627
goto end;
390
628
}
391
ret = -1;
392
629
} else {
393
630
/* we report the total of files and rules successfully loaded and failed */
394
631
SCLogInfo("%" PRId32 " rule files processed. %" PRId32 " rules succesfully loaded, %" PRId32 " rules failed", cntf, cnt, sigtotal-cnt);
402
639
SCSigOrderSignatures(de_ctx);
403
640
SCSigSignatureOrderingModuleCleanup(de_ctx);
404
641
405
s = de_ctx->sig_list;
642
Signature *s = de_ctx->sig_list;
406
643
407
644
/* Assign the unique order id of signatures after sorting,
408
645
* so the IP Only engine process them in order too */
646
SigIntId sig_id = 0;
409
647
while (s != NULL) {
410
648
s->order_id = sig_id++;
411
649
s = s->next;
417
655
ret = 0;
418
656
419
657
end:
658
if (engine_analysis) {
659
if (fp_engine_analysis_set) {
660
if (fp_engine_analysis_FD != NULL) {
661
SCLogInfo("Engine-Analyis for fast_pattern printed to file - %s",
662
log_path);
663
fclose(fp_engine_analysis_FD);
664
fp_engine_analysis_FD = NULL;
665
}
666
}
667
}
668
420
669
DetectParseDupSigHashFree(de_ctx);
421
670
SCReturnInt(ret);
422
671
}
423
672
424
673
/**
674
* \brief See if we can prefilter a signature on inexpensive checks
675
*
676
* Order of SignatureHeader access:
677
* 1. mask
678
* 2. flags
679
* 3. alproto
680
* 4. mpm_pattern_id_div8
681
* 4. mpm_pattern_id_mod8
682
* 5. mpm_stream_pattern_id_div8
683
* 5. mpm_stream_pattern_id_mod8
684
* 6. num
685
*
686
* \retval 0 can't match, don't inspect
687
* \retval 1 might match, further inspection required
688
*/
689
static inline int SigMatchSignaturesBuildMatchArrayAddSignature(DetectEngineThreadCtx *det_ctx,
690
Packet *p, SignatureHeader *s, uint16_t alproto)
691
{
692
/* if the sig has alproto and the session as well they should match */
693
if (s->flags & SIG_FLAG_APPLAYER && s->alproto != ALPROTO_UNKNOWN && s->alproto != alproto) {
694
if (s->alproto == ALPROTO_DCERPC) {
695
if (alproto != ALPROTO_SMB && alproto != ALPROTO_SMB2) {
696
SCLogDebug("DCERPC sig, alproto not SMB or SMB2");
697
return 0;
698
}
699
} else {
700
SCLogDebug("alproto mismatch");
701
return 0;
702
}
703
}
704
705
/* check for a pattern match of the one pattern in this sig. */
706
if (s->flags & SIG_FLAG_MPM_PACKET) {
707
/* filter out sigs that want pattern matches, but
708
* have no matches */
709
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] & s->mpm_pattern_id_mod_8)) {
710
//if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id / 8)] & (1<<(s->mpm_pattern_id % 8)))) {
711
//SCLogDebug("mpm sig without matches (pat id %"PRIu32" check in content).", s->mpm_pattern_id);
712
713
if (!(s->flags & SIG_FLAG_MPM_PACKET_NEG)) {
714
return 0;
715
} else {
716
SCLogDebug("but thats okay, we are looking for neg-content");
717
}
718
}
719
}
720
if (s->flags & SIG_FLAG_MPM_STREAM) {
721
/* filter out sigs that want pattern matches, but
722
* have no matches */
723
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_stream_pattern_id_div_8)] & s->mpm_stream_pattern_id_mod_8)) {
724
//SCLogDebug("mpm stream sig without matches (pat id %"PRIu32" check in content).", s->mpm_stream_pattern_id);
725
726
if (!(s->flags & SIG_FLAG_MPM_STREAM_NEG)) {
727
return 0;
728
} else {
729
SCLogDebug("but thats okay, we are looking for neg-content");
730
}
731
}
732
}
733
734
if (s->full_sig->flags & SIG_FLAG_MPM_URICONTENT) {
735
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
736
(1 << (s->mpm_http_pattern_id % 8)))) {
737
if (!(s->full_sig->flags & SIG_FLAG_MPM_URICONTENT_NEG)) {
738
return 0;
739
}
740
}
741
}
742
743
if (s->flags & SIG_FLAG_MPM_HCBDCONTENT) {
744
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
745
(1 << (s->mpm_http_pattern_id % 8)))) {
746
if (!(s->flags & SIG_FLAG_MPM_HCBDCONTENT_NEG)) {
747
return 0;
748
}
749
}
750
}
751
752
if (s->flags & SIG_FLAG_MPM_HHDCONTENT) {
753
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
754
(1 << (s->mpm_http_pattern_id % 8)))) {
755
if (!(s->flags & SIG_FLAG_MPM_HHDCONTENT_NEG)) {
756
return 0;
757
}
758
}
759
}
760
761
if (s->flags & SIG_FLAG_MPM_HRHDCONTENT) {
762
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
763
(1 << (s->mpm_http_pattern_id % 8)))) {
764
if (!(s->flags & SIG_FLAG_MPM_HRHDCONTENT_NEG)) {
765
return 0;
766
}
767
}
768
}
769
770
if (s->flags & SIG_FLAG_MPM_HMDCONTENT) {
771
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
772
(1 << (s->mpm_http_pattern_id % 8)))) {
773
if (!(s->flags & SIG_FLAG_MPM_HMDCONTENT_NEG)) {
774
return 0;
775
}
776
}
777
}
778
779
if (s->flags & SIG_FLAG_MPM_HCDCONTENT) {
780
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
781
(1 << (s->mpm_http_pattern_id % 8)))) {
782
if (!(s->flags & SIG_FLAG_MPM_HCDCONTENT_NEG)) {
783
return 0;
784
}
785
}
786
}
787
788
if (s->flags & SIG_FLAG_MPM_HRUDCONTENT) {
789
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_http_pattern_id / 8)] &
790
(1 << (s->mpm_http_pattern_id % 8)))) {
791
if (!(s->flags & SIG_FLAG_MPM_HRUDCONTENT_NEG)) {
792
return 0;
793
}
794
}
795
}
796
797
/* de_state check, filter out all signatures that already had a match before
798
* or just partially match */
799
if (s->flags & SIG_FLAG_STATE_MATCH) {
800
/* we run after DeStateDetectContinueDetection, so we might have
801
* state NEW here. In that case we'd want to continue detection
802
* for this sig. If we have NOSTATE, stateful detection didn't
803
* start yet for this sig, so we will inspect it.
804
*/
805
if (det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NEW &&
806
det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NOSTATE) {
807
SCLogDebug("de state not NEW or NOSTATE, ignoring");
808
return 0;
809
}
810
}
811
812
return 1;
813
}
814
815
#if defined(__SSE3__)
816
817
/**
818
* \brief SIMD implementation of mask prefiltering.
819
*
820
* Mass mask matching is done creating a bitmap of signatures that need
821
* futher inspection.
822
*
823
* On 32 bit systems we inspect in 32 sig batches, creating a u32 with flags.
824
* On 64 bit systems we inspect in 64 sig batches, creating a u64 with flags.
825
* The size of a register is leading here.
826
*/
827
static inline void SigMatchSignaturesBuildMatchArraySIMD(DetectEngineThreadCtx *det_ctx,
828
Packet *p, SignatureMask mask, uint16_t alproto)
829
{
830
uint32_t u;
831
SigIntId x;
832
int bitno = 0;
833
#if __WORDSIZE == 32
834
register uint32_t bm; /* bit mask, 32 bits used */
835
836
Vector pm, sm, r1, r2;
837
/* load the packet mask into each byte of the vector */
838
pm.v = _mm_set1_epi8(mask);
839
840
/* reset previous run */
841
det_ctx->match_array_cnt = 0;
842
843
for (u = 0; u < det_ctx->sgh->sig_cnt; u += 32) {
844
/* load a batch of masks */
845
sm.v = _mm_load_si128((const __m128i *)&det_ctx->sgh->mask_array[u]);
846
/* logical AND them with the packet's mask */
847
r1.v = _mm_and_si128(pm.v, sm.v);
848
/* compare the result with the original mask */
849
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
850
/* convert into a bitarray */
851
bm = ((uint32_t) _mm_movemask_epi8(r2.v));
852
853
SCLogDebug("bm1 %08x", bm);
854
855
/* load a batch of masks */
856
sm.v = _mm_load_si128((const __m128i *)&det_ctx->sgh->mask_array[u+16]);
857
/* logical AND them with the packet's mask */
858
r1.v = _mm_and_si128(pm.v, sm.v);
859
/* compare the result with the original mask */
860
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
861
/* convert into a bitarray */
862
bm |= ((uint32_t) _mm_movemask_epi8(r2.v) << 16);
863
864
SCLogDebug("bm2 %08x", bm);
865
866
if (bm == 0) {
867
continue;
868
}
869
870
/* Check each bit in the bit map. Little endian is assumed (SSE is x86),
871
* so the bits are in memory backwards, 0 is on the right edge,
872
* 31 on the left edge. This is why above we store the output of the
873
* _mm_movemask_epi8 in this order as well */
874
bitno = 0;
875
for (x = u; x < det_ctx->sgh->sig_cnt && bitno < 32; x++, bitno++) {
876
if (bm & (1 << bitno)) {
877
SignatureHeader *s = &det_ctx->sgh->head_array[x];
878
879
if (SigMatchSignaturesBuildMatchArrayAddSignature(det_ctx, p, s, alproto) == 1) {
880
/* okay, store it */
881
det_ctx->match_array[det_ctx->match_array_cnt] = s->full_sig;
882
det_ctx->match_array_cnt++;
883
}
884
}
885
}
886
}
887
#elif __WORDSIZE == 64
888
register uint64_t bm; /* bit mask, 64 bits used */
889
890
Vector pm, sm, r1, r2;
891
/* load the packet mask into each byte of the vector */
892
pm.v = _mm_set1_epi8(mask);
893
894
/* reset previous run */
895
det_ctx->match_array_cnt = 0;
896
897
for (u = 0; u < det_ctx->sgh->sig_cnt; u += 64) {
898
/* load a batch of masks */
899
sm.v = _mm_load_si128((const __m128i *)&det_ctx->sgh->mask_array[u]);
900
/* logical AND them with the packet's mask */
901
r1.v = _mm_and_si128(pm.v, sm.v);
902
/* compare the result with the original mask */
903
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
904
/* convert into a bitarray */
905
bm = ((uint64_t) _mm_movemask_epi8(r2.v));
906
907
SCLogDebug("bm1 %08x", bm);
908
909
/* load a batch of masks */
910
sm.v = _mm_load_si128((const __m128i *)&det_ctx->sgh->mask_array[u+16]);
911
/* logical AND them with the packet's mask */
912
r1.v = _mm_and_si128(pm.v, sm.v);
913
/* compare the result with the original mask */
914
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
915
/* convert into a bitarray */
916
bm |= ((uint64_t) _mm_movemask_epi8(r2.v)) << 16;
917
918
/* load a batch of masks */
919
sm.v = _mm_load_si128((const __m128i *)&det_ctx->sgh->mask_array[u+32]);
920
/* logical AND them with the packet's mask */
921
r1.v = _mm_and_si128(pm.v, sm.v);
922
/* compare the result with the original mask */
923
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
924
/* convert into a bitarray */
925
bm |= ((uint64_t) _mm_movemask_epi8(r2.v)) << 32;
926
927
/* load a batch of masks */
928
sm.v = _mm_load_si128((const __m128i *)&det_ctx->sgh->mask_array[u+48]);
929
/* logical AND them with the packet's mask */
930
r1.v = _mm_and_si128(pm.v, sm.v);
931
/* compare the result with the original mask */
932
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
933
/* convert into a bitarray */
934
bm |= ((uint64_t) _mm_movemask_epi8(r2.v)) << 48;
935
936
SCLogDebug("bm2 %08x", bm);
937
938
if (bm == 0) {
939
continue;
940
}
941
942
/* Check each bit in the bit map. Little endian is assumed (SSE is x86-64),
943
* so the bits are in memory backwards, 0 is on the right edge,
944
* 63 on the left edge. This is why above we store the output of the
945
* _mm_movemask_epi8 in this order as well */
946
bitno = 0;
947
for (x = u; x < det_ctx->sgh->sig_cnt && bitno < 64; x++, bitno++) {
948
if (bm & ((uint64_t)1 << bitno)) {
949
SignatureHeader *s = &det_ctx->sgh->head_array[x];
950
951
if (SigMatchSignaturesBuildMatchArrayAddSignature(det_ctx, p, s, alproto) == 1) {
952
/* okay, store it */
953
det_ctx->match_array[det_ctx->match_array_cnt] = s->full_sig;
954
det_ctx->match_array_cnt++;
955
}
956
}
957
}
958
}
959
#else
960
#error Wordsize (__WORDSIZE) neither 32 or 64.
961
#endif
962
}
963
#endif /* defined(__SSE3__) */
964
965
static inline void SigMatchSignaturesBuildMatchArrayNoSIMD(DetectEngineThreadCtx *det_ctx,
966
Packet *p, SignatureMask mask, uint16_t alproto)
967
{
968
uint32_t u;
969
970
/* reset previous run */
971
det_ctx->match_array_cnt = 0;
972
973
for (u = 0; u < det_ctx->sgh->sig_cnt; u++) {
974
SignatureHeader *s = &det_ctx->sgh->head_array[u];
975
if ((mask & s->mask) == s->mask) {
976
if (SigMatchSignaturesBuildMatchArrayAddSignature(det_ctx, p, s, alproto) == 1) {
977
/* okay, store it */
978
det_ctx->match_array[det_ctx->match_array_cnt] = s->full_sig;
979
det_ctx->match_array_cnt++;
980
}
981
}
982
}
983
}
984
985
/**
425
986
* \brief build an array of signatures that will be inspected
426
987
*
427
988
* All signatures that can be filtered out on forehand are not added to it.
429
990
* \param de_ctx detection engine ctx
430
991
* \param det_ctx detection engine thread ctx -- array is stored here
431
992
* \param p packet
993
* \param mask Packets mask
432
994
* \param alproto application layer protocol
433
*
434
* Order of SignatureHeader access:
435
* 1. flags
436
* 2. alproto
437
* 3. mpm_pattern_id
438
* 4. mpm_stream_pattern_id
439
* 5. num
440
995
*/
441
static void SigMatchSignaturesBuildMatchArray(DetectEngineCtx *de_ctx,
442
DetectEngineThreadCtx *det_ctx, Packet *p, uint16_t alproto)
996
static void SigMatchSignaturesBuildMatchArray(DetectEngineThreadCtx *det_ctx,
997
Packet *p, SignatureMask mask, uint16_t alproto)
443
998
{
444
uint32_t i;
445
446
/* reset previous run */
447
det_ctx->match_array_cnt = 0;
448
449
for (i = 0; i < det_ctx->sgh->sig_cnt; i++) {
450
SignatureHeader *s = &det_ctx->sgh->head_array[i];
451
452
if (s->flags & SIG_FLAG_FLOW && !p->flow) {
453
SCLogDebug("flow in sig but not in packet");
454
continue;
455
}
456
457
/* filter out the sigs that inspect the payload, if packet
458
no payload inspection flag is set*/
459
if ((p->flags & PKT_NOPAYLOAD_INSPECTION) && (s->flags & SIG_FLAG_PAYLOAD)) {
460
SCLogDebug("no payload inspection enabled and sig has payload portion.");
461
continue;
462
}
463
464
/* if the sig has alproto and the session as well they should match */
465
if (s->alproto != ALPROTO_UNKNOWN) {
466
if (s->alproto != alproto) {
467
if (s->alproto == ALPROTO_DCERPC) {
468
if (alproto != ALPROTO_SMB && alproto != ALPROTO_SMB2) {
469
SCLogDebug("DCERPC sig, alproto not SMB or SMB2");
470
continue;
471
}
472
} else {
473
SCLogDebug("alproto mismatch");
474
continue;
475
}
476
}
477
}
478
479
/* check for a pattern match of the one pattern in this sig. */
480
if (s->flags & SIG_FLAG_MPM_PACKET) {
481
/* filter out sigs that want pattern matches, but
482
* have no matches */
483
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id / 8)] & (1<<(s->mpm_pattern_id % 8)))) {
484
SCLogDebug("mpm sig without matches (pat id %"PRIu32" check in content).", s->mpm_pattern_id);
485
486
if (!(s->flags & SIG_FLAG_MPM_NEGCONTENT)) {
487
/* pattern didn't match. There is one case where we will inspect
488
* the signature anyway: if the packet payload was added to the
489
* stream it is not scanned itself: the stream data is inspected.
490
* Inspecting both would result in duplicated alerts. There is
491
* one case where we are going to inspect the packet payload
492
* anyway: if a signature has the dsize option. */
493
if (!((p->flags & PKT_STREAM_ADD) && (s->flags & SIG_FLAG_DSIZE))) {
494
continue;
495
}
496
} else {
497
SCLogDebug("but thats okay, we are looking for neg-content");
498
}
499
}
500
}
501
if (s->flags & SIG_FLAG_MPM_STREAM) {
502
/* filter out sigs that want pattern matches, but
503
* have no matches */
504
if (!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_stream_pattern_id / 8)] & (1<<(s->mpm_stream_pattern_id % 8)))) {
505
SCLogDebug("mpm stream sig without matches (pat id %"PRIu32" check in content).", s->mpm_stream_pattern_id);
506
507
if (!(s->flags & SIG_FLAG_MPM_NEGCONTENT)) {
508
/* pattern didn't match. There is one case where we will inspect
509
* the signature anyway: if the packet payload was added to the
510
* stream it is not scanned itself: the stream data is inspected.
511
* Inspecting both would result in duplicated alerts. There is
512
* one case where we are going to inspect the packet payload
513
* anyway: if a signature has the dsize option. */
514
if (!((p->flags & PKT_STREAM_ADD) && (s->flags & SIG_FLAG_DSIZE))) {
515
continue;
516
}
517
} else {
518
SCLogDebug("but thats okay, we are looking for neg-content");
519
}
520
}
521
}
522
523
/* de_state check, filter out all signatures that already had a match before
524
* or just partially match */
525
if (s->flags & SIG_FLAG_AMATCH || s->flags & SIG_FLAG_UMATCH ||
526
s->flags & SIG_FLAG_DMATCH)
527
{
528
/* we run after DeStateDetectContinueDetection, so we might have
529
* state NEW here. In that case we'd want to continue detection
530
* for this sig. If we have NOSTATE, stateful detection didn't
531
* start yet for this sig, so we will inspect it.
532
*/
533
if (det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NEW &&
534
det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NOSTATE) {
535
SCLogDebug("de state not NEW or NOSTATE, ignoring");
536
continue;
537
}
538
}
539
540
/* okay, store it */
541
det_ctx->match_array[det_ctx->match_array_cnt] = s->full_sig;
542
det_ctx->match_array_cnt++;
543
}
999
#if defined(__SSE3__)
1000
SigMatchSignaturesBuildMatchArraySIMD(det_ctx, p, mask, alproto);
1001
#else
1002
SigMatchSignaturesBuildMatchArrayNoSIMD(det_ctx, p, mask, alproto);
1003
#endif
544
1004
}
545
1005
546
1006
/**
617
1077
618
1078
StreamMsg *smsg = NULL;
619
1079
620
if (p->proto == IPPROTO_TCP) {
1080
if (p->proto == IPPROTO_TCP && f->protoctx != NULL) {
621
1081
TcpSession *ssn = (TcpSession *)f->protoctx;
622
if (ssn != NULL) {
623
/* at stream eof, inspect all smsg's */
624
if (flags & STREAM_EOF) {
625
if (p->flowflags & FLOW_PKT_TOSERVER) {
626
smsg = ssn->toserver_smsg_head;
627
/* deref from the ssn */
628
ssn->toserver_smsg_head = NULL;
629
ssn->toserver_smsg_tail = NULL;
630
631
SCLogDebug("to_server smsg %p at stream eof", smsg);
632
} else {
633
smsg = ssn->toclient_smsg_head;
634
/* deref from the ssn */
635
ssn->toclient_smsg_head = NULL;
636
ssn->toclient_smsg_tail = NULL;
637
638
SCLogDebug("to_client smsg %p at stream eof", smsg);
639
}
640
} else {
641
if (p->flowflags & FLOW_PKT_TOSERVER) {
642
StreamMsg *head = ssn->toserver_smsg_head;
643
if (head == NULL) {
644
SCLogDebug("no smsgs in to_server direction");
645
goto end;
646
}
647
648
/* if the smsg is bigger than the current packet, we will
649
* process the smsg in a later run */
650
if ((head->data.seq + head->data.data_len) > (TCP_GET_SEQ(p) + p->payload_len)) {
651
SCLogDebug("smsg ends beyond current packet, skipping for now %"PRIu32">%"PRIu32,
652
(head->data.seq + head->data.data_len), (TCP_GET_SEQ(p) + p->payload_len));
653
goto end;
654
}
655
656
smsg = head;
657
/* deref from the ssn */
658
ssn->toserver_smsg_head = NULL;
659
ssn->toserver_smsg_tail = NULL;
660
661
SCLogDebug("to_server smsg %p", smsg);
662
} else {
663
StreamMsg *head = ssn->toclient_smsg_head;
664
if (head == NULL)
665
goto end;
666
667
/* if the smsg is bigger than the current packet, we will
668
* process the smsg in a later run */
669
if ((head->data.seq + head->data.data_len) > (TCP_GET_SEQ(p) + p->payload_len)) {
670
SCLogDebug("smsg ends beyond current packet, skipping for now %"PRIu32">%"PRIu32,
671
(head->data.seq + head->data.data_len), (TCP_GET_SEQ(p) + p->payload_len));
672
goto end;
673
}
674
675
smsg = head;
676
/* deref from the ssn */
677
ssn->toclient_smsg_head = NULL;
678
ssn->toclient_smsg_tail = NULL;
679
680
SCLogDebug("to_client smsg %p", smsg);
681
}
1082
1083
/* at stream eof, or in inline mode, inspect all smsg's */
1084
if (flags & STREAM_EOF || StreamTcpInlineMode()) {
1085
if (p->flowflags & FLOW_PKT_TOSERVER) {
1086
smsg = ssn->toserver_smsg_head;
1087
/* deref from the ssn */
1088
ssn->toserver_smsg_head = NULL;
1089
ssn->toserver_smsg_tail = NULL;
1090
1091
SCLogDebug("to_server smsg %p at stream eof", smsg);
1092
} else {
1093
smsg = ssn->toclient_smsg_head;
1094
/* deref from the ssn */
1095
ssn->toclient_smsg_head = NULL;
1096
ssn->toclient_smsg_tail = NULL;
1097
1098
SCLogDebug("to_client smsg %p at stream eof", smsg);
1099
}
1100
} else {
1101
if (p->flowflags & FLOW_PKT_TOSERVER) {
1102
StreamMsg *head = ssn->toserver_smsg_head;
1103
if (unlikely(head == NULL)) {
1104
SCLogDebug("no smsgs in to_server direction");
1105
goto end;
1106
}
1107
1108
/* if the smsg is bigger than the current packet, we will
1109
* process the smsg in a later run */
1110
if ((head->data.seq + head->data.data_len) > (TCP_GET_SEQ(p) + p->payload_len)) {
1111
SCLogDebug("smsg ends beyond current packet, skipping for now %"PRIu32">%"PRIu32,
1112
(head->data.seq + head->data.data_len), (TCP_GET_SEQ(p) + p->payload_len));
1113
goto end;
1114
}
1115
1116
smsg = head;
1117
/* deref from the ssn */
1118
ssn->toserver_smsg_head = NULL;
1119
ssn->toserver_smsg_tail = NULL;
1120
1121
SCLogDebug("to_server smsg %p", smsg);
1122
} else {
1123
StreamMsg *head = ssn->toclient_smsg_head;
1124
if (unlikely(head == NULL))
1125
goto end;
1126
1127
/* if the smsg is bigger than the current packet, we will
1128
* process the smsg in a later run */
1129
if ((head->data.seq + head->data.data_len) > (TCP_GET_SEQ(p) + p->payload_len)) {
1130
SCLogDebug("smsg ends beyond current packet, skipping for now %"PRIu32">%"PRIu32,
1131
(head->data.seq + head->data.data_len), (TCP_GET_SEQ(p) + p->payload_len));
1132
goto end;
1133
}
1134
1135
smsg = head;
1136
/* deref from the ssn */
1137
ssn->toclient_smsg_head = NULL;
1138
ssn->toclient_smsg_tail = NULL;
1139
1140
SCLogDebug("to_client smsg %p", smsg);
682
1141
}
683
1142
}
684
1143
}
687
1146
SCReturnPtr(smsg, "StreamMsg");
688
1147
}
689
1148
1149
#define SMS_USE_FLOW_SGH 0x01
1150
#define SMS_USED_PM 0x02
1151
#define SMS_USED_STREAM_PM 0x04
1152
1153
/**
1154
* \internal
1155
* \brief Run mpm on packet, stream and other buffers based on
1156
* alproto, sgh state.
1157
*
1158
* \param de_ctx Pointer to the detection engine context.
1159
* \param det_ctx Pointer to the detection engine thread context.
1160
* \param smsg The stream segment to inspect for stream mpm.
1161
* \param p Packet.
1162
* \param flags Flags.
1163
* \param alproto Flow alproto.
1164
* \param alstate Flow alstate.
1165
* \param sms_runflags Used to store state by detection engine.
1166
*/
1167
static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
1168
DetectEngineThreadCtx *det_ctx, StreamMsg *smsg, Packet *p,
1169
uint8_t flags, uint16_t alproto, void *alstate, uint8_t *sms_runflags)
1170
{
1171
if (p->payload_len > 0 && (!(p->flags & PKT_NOPAYLOAD_INSPECTION))) {
1172
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_PACKET) {
1173
/* run the multi packet matcher against the payload of the packet */
1174
SCLogDebug("search: (%p, maxlen %" PRIu32 ", sgh->sig_cnt %" PRIu32 ")",
1175
det_ctx->sgh, det_ctx->sgh->mpm_content_maxlen, det_ctx->sgh->sig_cnt);
1176
1177
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_PACKET);
1178
PacketPatternSearch(det_ctx, p);
1179
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_PACKET);
1180
1181
*sms_runflags |= SMS_USED_PM;
1182
}
1183
if (!(p->flags & PKT_STREAM_ADD) && det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_STREAM) {
1184
*sms_runflags |= SMS_USED_PM;
1185
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_PKT_STREAM);
1186
PacketPatternSearchWithStreamCtx(det_ctx, p);
1187
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_PKT_STREAM);
1188
}
1189
}
1190
1191
/* have a look at the reassembled stream (if any) */
1192
if (p->flowflags & FLOW_PKT_ESTABLISHED) {
1193
SCLogDebug("p->flowflags & FLOW_PKT_ESTABLISHED");
1194
if (smsg != NULL && det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_STREAM) {
1195
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_STREAM);
1196
StreamPatternSearch(det_ctx, p, smsg, flags);
1197
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_STREAM);
1198
1199
*sms_runflags |= SMS_USED_STREAM_PM;
1200
} else {
1201
SCLogDebug("smsg NULL (%p) or det_ctx->sgh->mpm_stream_ctx "
1202
"NULL (%p)", smsg, det_ctx->sgh->mpm_stream_ctx);
1203
}
1204
1205
/* all http based mpms */
1206
if (alproto == ALPROTO_HTTP && alstate != NULL) {
1207
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_URI) {
1208
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_URI);
1209
DetectUricontentInspectMpm(det_ctx, p->flow, alstate);
1210
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_URI);
1211
}
1212
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCBD) {
1213
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCBD);
1214
DetectEngineRunHttpClientBodyMpm(de_ctx, det_ctx, p->flow, alstate);
1215
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HCBD);
1216
}
1217
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HHD) {
1218
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HHD);
1219
DetectEngineRunHttpHeaderMpm(det_ctx, p->flow, alstate);
1220
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HHD);
1221
}
1222
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRHD) {
1223
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HRHD);
1224
DetectEngineRunHttpRawHeaderMpm(det_ctx, p->flow, alstate);
1225
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HRHD);
1226
}
1227
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HMD) {
1228
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HMD);
1229
DetectEngineRunHttpMethodMpm(det_ctx, p->flow, alstate);
1230
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HMD);
1231
}
1232
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HCD) {
1233
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HCD);
1234
DetectEngineRunHttpCookieMpm(det_ctx, p->flow, alstate);
1235
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HCD);
1236
}
1237
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HRUD) {
1238
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HRUD);
1239
DetectEngineRunHttpRawUriMpm(det_ctx, p->flow, alstate);
1240
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HRUD);
1241
}
1242
}
1243
} else {
1244
SCLogDebug("NOT p->flowflags & FLOW_PKT_ESTABLISHED");
1245
}
1246
}
1247
1248
690
1249
/**
691
1250
* \brief Signature match function
692
1251
*
695
1254
*/
696
1255
int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
697
1256
{
698
699
700
/* No need to perform any detection on this packet, if the the given flag is set.*/
701
if (p->flags & PKT_NOPACKET_INSPECTION)
702
return 0;
703
704
int match = 0, fmatch = 0;
705
Signature *s = NULL;
706
SigMatch *sm = NULL;
1257
uint8_t sms_runflags = 0; /* function flags */
1258
uint8_t alert_flags = 0;
1259
uint16_t alproto = ALPROTO_UNKNOWN;
1260
int match = 0;
1261
int fmatch = 0;
707
1262
uint32_t idx;
708
uint16_t alproto = ALPROTO_UNKNOWN;
1263
uint8_t flags = 0; /* flow/state flags */
709
1264
void *alstate = NULL;
710
uint8_t flags = 0;
711
uint32_t cnt = 0;
712
SigGroupHead *sgh = NULL;
713
char use_flow_sgh = FALSE;
714
1265
StreamMsg *smsg = NULL;
715
char no_store_flow_sgh = FALSE;
716
uint8_t alert_flags = 0;
1266
Signature *s = NULL;
1267
SigMatch *sm = NULL;
1268
uint16_t alversion = 0;
717
1269
718
1270
SCEnter();
719
1271
720
1272
SCLogDebug("pcap_cnt %"PRIu64, p->pcap_cnt);
721
1273
722
1274
p->alerts.cnt = 0;
723
724
1275
det_ctx->pkts++;
725
1276
1277
/* No need to perform any detection on this packet, if the the given flag is set.*/
1278
if (p->flags & PKT_NOPACKET_INSPECTION) {
1279
SCReturnInt(0);
1280
}
1281
726
1282
/* grab the protocol state we will detect on */
727
if (p->flow != NULL) {
1283
if (p->flags & PKT_HAS_FLOW) {
728
1284
if (p->flags & PKT_STREAM_EOF) {
729
1285
flags |= STREAM_EOF;
730
1286
SCLogDebug("STREAM_EOF set");
733
1289
FlowIncrUsecnt(p->flow);
734
1290
735
1291
SCMutexLock(&p->flow->m);
736
737
/* Get the stored sgh from the flow (if any). Make sure we're not using
738
* the sgh for icmp error packets part of the same stream. */
739
if (IP_GET_IPPROTO(p) == p->flow->proto) { /* filter out icmp */
740
if (p->flowflags & FLOW_PKT_TOSERVER && p->flow->flags & FLOW_SGH_TOSERVER) {
741
sgh = p->flow->sgh_toserver;
742
use_flow_sgh = TRUE;
743
} else if (p->flowflags & FLOW_PKT_TOCLIENT && p->flow->flags & FLOW_SGH_TOCLIENT) {
744
sgh = p->flow->sgh_toclient;
745
use_flow_sgh = TRUE;
746
}
747
748
smsg = SigMatchSignaturesGetSmsg(p->flow, p, flags);
749
} else {
750
no_store_flow_sgh = TRUE;
751
}
752
753
/* Retrieve the app layer state and protocol and the tcp reassembled
754
* stream chunks. */
755
if (p->flowflags & FLOW_PKT_ESTABLISHED) {
756
alstate = AppLayerGetProtoStateFromPacket(p);
757
alproto = AppLayerGetProtoFromPacket(p);
758
SCLogDebug("alstate %p, alproto %u", alstate, alproto);
759
760
} else {
761
SCLogDebug("packet doesn't have established flag set");
762
}
763
1292
{
1293
/* Get the stored sgh from the flow (if any). Make sure we're not using
1294
* the sgh for icmp error packets part of the same stream. */
1295
if (IP_GET_IPPROTO(p) == p->flow->proto) { /* filter out icmp */
1296
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);
1297
if (p->flowflags & FLOW_PKT_TOSERVER && p->flow->flags & FLOW_SGH_TOSERVER) {
1298
det_ctx->sgh = p->flow->sgh_toserver;
1299
sms_runflags |= SMS_USE_FLOW_SGH;
1300
} else if (p->flowflags & FLOW_PKT_TOCLIENT && p->flow->flags & FLOW_SGH_TOCLIENT) {
1301
det_ctx->sgh = p->flow->sgh_toclient;
1302
sms_runflags |= SMS_USE_FLOW_SGH;
1303
}
1304
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);
1305
1306
smsg = SigMatchSignaturesGetSmsg(p->flow, p, flags);
1307
#if 0
1308
StreamMsg *tmpsmsg = smsg;
1309
while (tmpsmsg) {
1310
printf("detect ---start---:\n");
1311
PrintRawDataFp(stdout,tmpsmsg->data.data,tmpsmsg->data.data_len);
1312
printf("detect ---end---:\n");
1313
tmpsmsg = tmpsmsg->next;
1314
}
1315
#endif
1316
}
1317
1318
/* Retrieve the app layer state and protocol and the tcp reassembled
1319
* stream chunks. */
1320
if ((p->proto == IPPROTO_TCP && p->flags & PKT_STREAM_EST) ||
1321
(p->proto == IPPROTO_UDP && p->flowflags & FLOW_PKT_ESTABLISHED) ||
1322
(p->proto == IPPROTO_SCTP && p->flowflags & FLOW_PKT_ESTABLISHED))
1323
{
1324
alstate = AppLayerGetProtoStateFromPacket(p);
1325
alproto = AppLayerGetProtoFromPacket(p);
1326
alversion = AppLayerGetStateVersion(p->flow);
1327
SCLogDebug("alstate %p, alproto %u", alstate, alproto);
1328
} else {
1329
SCLogDebug("packet doesn't have established flag set (proto %d)", p->proto);
1330
}
1331
}
764
1332
SCMutexUnlock(&p->flow->m);
765
1333
766
1334
if (p->flowflags & FLOW_PKT_TOSERVER) {
771
1339
SCLogDebug("flag STREAM_TOCLIENT set");
772
1340
}
773
1341
SCLogDebug("p->flowflags 0x%02x", p->flowflags);
774
}
775
776
/* match the ip only signatures */
777
if ((p->flowflags & FLOW_PKT_TOSERVER && !(p->flowflags & FLOW_PKT_TOSERVER_IPONLY_SET)) ||
778
(p->flowflags & FLOW_PKT_TOCLIENT && !(p->flowflags & FLOW_PKT_TOCLIENT_IPONLY_SET))) {
779
SCLogDebug("testing against \"ip-only\" signatures");
780
781
IPOnlyMatchPacket(de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p);
782
/* save in the flow that we scanned this direction... locking is
783
* done in the FlowSetIPOnlyFlag function. */
784
if (p->flow != NULL) {
1342
1343
if ((p->flowflags & FLOW_PKT_TOSERVER && !(p->flowflags & FLOW_PKT_TOSERVER_IPONLY_SET)) ||
1344
(p->flowflags & FLOW_PKT_TOCLIENT && !(p->flowflags & FLOW_PKT_TOCLIENT_IPONLY_SET)))
1345
{
1346
SCLogDebug("testing against \"ip-only\" signatures");
1347
1348
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_IPONLY);
1349
IPOnlyMatchPacket(th_v, de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p);
1350
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_IPONLY);
1351
1352
/* save in the flow that we scanned this direction... locking is
1353
* done in the FlowSetIPOnlyFlag function. */
785
1354
FlowSetIPOnlyFlag(p->flow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
786
}
787
} else if (p->flow != NULL && ((p->flowflags & FLOW_PKT_TOSERVER &&
788
(p->flow->flags & FLOW_TOSERVER_IPONLY_SET)) ||
789
(p->flowflags & FLOW_PKT_TOCLIENT &&
790
(p->flow->flags & FLOW_TOCLIENT_IPONLY_SET)))) {
791
/* Get the result of the first IPOnlyMatch() */
792
if (p->flow->flags & FLOW_ACTION_PASS) {
793
/* if it matched a "pass" rule, we have to let it go */
794
p->action |= ACTION_PASS;
795
}
796
/* If we have a drop from IP only module,
797
* we will drop the rest of the flow packets
798
* This will apply only to inline/IPS */
799
if (p->flow != NULL &&
800
(p->flow->flags & FLOW_ACTION_DROP))
1355
1356
} else if ((p->flowflags & FLOW_PKT_TOSERVER &&
1357
(p->flow->flags & FLOW_TOSERVER_IPONLY_SET)) ||
1358
(p->flowflags & FLOW_PKT_TOCLIENT &&
1359
(p->flow->flags & FLOW_TOCLIENT_IPONLY_SET)))
801
1360
{
802
alert_flags = PACKET_ALERT_FLAG_DROP_FLOW;
803
p->action |= ACTION_DROP;
804
}
805
} else {
1361
/* Get the result of the first IPOnlyMatch() */
1362
if (p->flow->flags & FLOW_ACTION_PASS) {
1363
/* if it matched a "pass" rule, we have to let it go */
1364
p->action |= ACTION_PASS;
1365
}
1366
/* If we have a drop from IP only module,
1367
* we will drop the rest of the flow packets
1368
* This will apply only to inline/IPS */
1369
if (p->flow->flags & FLOW_ACTION_DROP)
1370
{
1371
alert_flags = PACKET_ALERT_FLAG_DROP_FLOW;
1372
p->action |= ACTION_DROP;
1373
}
1374
}
1375
1376
if (!(sms_runflags & SMS_USE_FLOW_SGH)) {
1377
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);
1378
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
1379
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);
1380
}
1381
} else { /* p->flags & PKT_HAS_FLOW */
1382
/* no flow */
1383
806
1384
/* Even without flow we should match the packet src/dst */
807
IPOnlyMatchPacket(de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p);
808
}
1385
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_IPONLY);
1386
IPOnlyMatchPacket(th_v, de_ctx, det_ctx, &de_ctx->io_ctx,
1387
&det_ctx->io_ctx, p);
1388
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_IPONLY);
809
1389
810
/* use the sgh from the flow unless we have no flow or the flow
811
* sgh wasn't initialized yet */
812
if (sgh == NULL && !use_flow_sgh) {
1390
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH);
813
1391
det_ctx->sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
814
} else {
815
det_ctx->sgh = sgh;
1392
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH);
816
1393
}
1394
817
1395
/* if we didn't get a sig group head, we
818
1396
* have nothing to do.... */
819
1397
if (det_ctx->sgh == NULL) {
821
1399
goto end;
822
1400
}
823
1401
824
/* have a look at the reassembled stream (if any) */
825
if (p->flowflags & FLOW_PKT_ESTABLISHED) {
826
SCLogDebug("p->flowflags & FLOW_PKT_ESTABLISHED");
827
if (smsg != NULL && det_ctx->sgh->mpm_stream_ctx != NULL) {
828
cnt = StreamPatternSearch(th_v, det_ctx, p, smsg, flags);
829
SCLogDebug("cnt %u", cnt);
830
} else {
831
SCLogDebug("smsg NULL (%p) or det_ctx->sgh->mpm_stream_ctx NULL (%p)", smsg, det_ctx->sgh->mpm_stream_ctx);
832
}
833
} else {
834
SCLogDebug("NOT p->flowflags & FLOW_PKT_ESTABLISHED");
835
}
836
837
if (p->payload_len > 0 && det_ctx->sgh->mpm_ctx != NULL &&
838
(!(p->flags & PKT_NOPAYLOAD_INSPECTION) && !(p->flags & PKT_STREAM_ADD)))
839
{
840
/* run the multi packet matcher against the payload of the packet */
841
if (det_ctx->sgh->mpm_content_maxlen > p->payload_len) {
842
SCLogDebug("not mpm-inspecting as pkt payload is smaller than "
843
"the largest content length we need to match");
844
} else {
845
SCLogDebug("search: (%p, maxlen %" PRIu32 ", sgh->sig_cnt %" PRIu32 ")",
846
det_ctx->sgh, det_ctx->sgh->mpm_content_maxlen, det_ctx->sgh->sig_cnt);
847
#if 0
848
if (det_ctx->sgh->mpm_content_maxlen == 1) det_ctx->pkts_searched1++;
849
else if (det_ctx->sgh->mpm_content_maxlen == 2) det_ctx->pkts_searched2++;
850
else if (det_ctx->sgh->mpm_content_maxlen == 3) det_ctx->pkts_searched3++;
851
else if (det_ctx->sgh->mpm_content_maxlen == 4) det_ctx->pkts_searched4++;
852
else det_ctx->pkts_searched++;
853
#endif
854
cnt = PacketPatternSearch(th_v, det_ctx, p);
855
if (cnt > 0) {
856
#if 0
857
det_ctx->mpm_match++;
858
#endif
859
}
860
861
SCLogDebug("post search: cnt %" PRIu32, cnt);
862
}
863
}
864
865
det_ctx->de_mpm_scanned_uri = FALSE;
866
1402
/* run the mpm for each type */
1403
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM);
1404
DetectMpmPrefilter(de_ctx, det_ctx, smsg, p, flags, alproto,
1405
alstate, &sms_runflags);
1406
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM);
1407
1408
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_STATEFUL);
867
1409
/* stateful app layer detection */
868
869
/* initialize to 0 (DE_STATE_MATCH_NOSTATE) */
870
memset(det_ctx->de_state_sig_array, 0x00, det_ctx->de_state_sig_array_len);
871
872
/* if applicable, continue stateful detection */
873
if (p->flow != NULL && DeStateFlowHasState(p->flow)) {
874
DeStateDetectContinueDetection(th_v, de_ctx, det_ctx, p->flow,
875
flags, alstate, alproto);
1410
if (p->flags & PKT_HAS_FLOW && alstate != NULL) {
1411
/* initialize to 0 (DE_STATE_MATCH_NOSTATE) */
1412
memset(det_ctx->de_state_sig_array, 0x00, det_ctx->de_state_sig_array_len);
1413
1414
/* if applicable, continue stateful detection */
1415
int state = DeStateFlowHasState(p->flow, flags, alversion);
1416
if (state == 1) {
1417
DeStateDetectContinueDetection(th_v, de_ctx, det_ctx, p->flow,
1418
flags, alstate, alproto, alversion);
1419
} else if (state == 2) {
1420
alstate = NULL;
1421
}
876
1422
}
877
1423
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_STATEFUL);
1424
1425
/* create our prefilter mask */
1426
SignatureMask mask = 0;
1427
PacketCreateMask(p, &mask, alproto, alstate, smsg);
1428
1429
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_PREFILTER);
878
1430
/* build the match array */
879
SigMatchSignaturesBuildMatchArray(de_ctx, det_ctx, p, alproto);
1431
SigMatchSignaturesBuildMatchArray(det_ctx, p, mask, alproto);
1432
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_PREFILTER);
880
1433
1434
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_RULES);
881
1435
/* inspect the sigs against the packet */
882
1436
for (idx = 0; idx < det_ctx->match_array_cnt; idx++) {
883
PROFILING_START;
1437
StreamMsg *alert_msg = NULL;
1438
RULE_PROFILING_START;
884
1439
885
1440
s = det_ctx->match_array[idx];
886
1441
SCLogDebug("inspecting signature id %"PRIu32"", s->id);
887
1442
1443
/* check if this signature has a requirement for flowvars of some type
1444
* and if so, if we actually have any in the flow. If not, the sig
1445
* can't match and we skip it. */
1446
if (p->flags & PKT_HAS_FLOW && s->flags & SIG_FLAG_REQUIRE_FLOWVAR) {
1447
SCMutexLock(&p->flow->m);
1448
int m = p->flow->flowvar ? 1 : 0;
1449
SCMutexUnlock(&p->flow->m);
1450
1451
/* no flowvars? skip this sig */
1452
if (m == 0) {
1453
SCLogDebug("skipping sig as the flow has no flowvars and sig "
1454
"has SIG_FLAG_REQUIRE_FLOWVAR flag set.");
1455
goto next;
1456
}
1457
}
1458
888
1459
if (DetectProtoContainsProto(&s->proto, IP_GET_IPPROTO(p)) == 0) {
889
1460
SCLogDebug("proto didn't match");
890
1461
goto next;
891
1462
}
892
1463
893
1464
/* check the source & dst port in the sig */
894
if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP) {
1465
if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP || p->proto == IPPROTO_SCTP) {
895
1466
if (!(s->flags & SIG_FLAG_DP_ANY)) {
896
1467
DetectPort *dport = DetectPortLookupGroup(s->dp,p->dp);
897
1468
if (dport == NULL) {
929
1500
}
930
1501
}
931
1502
932
if (s->flags & SIG_FLAG_DSIZE && s->dsize_sm != NULL) {
933
if (sigmatch_table[DETECT_DSIZE].Match(th_v, det_ctx, p, s, s->dsize_sm) == 0)
934
continue;
935
}
936
937
1503
/* Check the payload keywords. If we are a MPM sig and we've made
938
1504
* to here, we've had at least one of the patterns match */
939
if (s->pmatch != NULL) {
1505
if (s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
940
1506
/* if we have stream msgs, inspect against those first,
941
1507
* but not for a "dsize" signature */
942
if (!(s->flags & SIG_FLAG_DSIZE) && smsg != NULL) {
1508
if (!(s->flags & SIG_FLAG_REQUIRE_PACKET) && smsg != NULL) {
943
1509
char pmatch = 0;
944
1510
uint8_t pmq_idx = 0;
945
1511
StreamMsg *smsg_inspect = smsg;
946
1512
for ( ; smsg_inspect != NULL; smsg_inspect = smsg_inspect->next, pmq_idx++) {
947
if (det_ctx->smsg_pmq[pmq_idx].pattern_id_array_cnt == 0) {
948
SCLogDebug("no match in smsg_inspect %p (%u), idx %d", smsg_inspect, smsg_inspect->data.data_len, pmq_idx);
949
continue;
950
}
1513
//if (det_ctx->smsg_pmq[pmq_idx].pattern_id_array_cnt == 0) {
1514
// SCLogDebug("no match in smsg_inspect %p (%u), idx %d", smsg_inspect, smsg_inspect->data.data_len, pmq_idx);
1515
// continue;
1516
//}
951
1517
952
1518
if (det_ctx->smsg_pmq[pmq_idx].pattern_id_bitarray != NULL) {
953
1519
/* filter out sigs that want pattern matches, but
954
1520
* have no matches */
955
if (!(det_ctx->smsg_pmq[pmq_idx].pattern_id_bitarray[(s->mpm_stream_pattern_id / 8)] & (1<<(s->mpm_stream_pattern_id % 8))) &&
956
(s->flags & SIG_FLAG_MPM) && !(s->flags & SIG_FLAG_MPM_NEGCONTENT)) {
1521
if (!(det_ctx->smsg_pmq[pmq_idx].pattern_id_bitarray[(s->mpm_stream_pattern_id_div_8)] & s->mpm_stream_pattern_id_mod_8) &&
1522
(s->flags & SIG_FLAG_MPM_STREAM) && !(s->flags & SIG_FLAG_MPM_STREAM_NEG)) {
957
1523
SCLogDebug("no match in this smsg");
958
1524
continue;
959
1525
}
961
1527
if (DetectEngineInspectStreamPayload(de_ctx, det_ctx, s, p->flow, smsg_inspect->data.data, smsg_inspect->data.data_len) == 1) {
962
1528
SCLogDebug("match in smsg %p", smsg);
963
1529
pmatch = 1;
964
/* Tell the enigne that this reassembled stream can drop the
1530
/* Tell the engine that this reassembled stream can drop the
965
1531
* rest of the pkts with no further inspection */
966
1532
if (s->action == ACTION_DROP)
967
1533
alert_flags |= PACKET_ALERT_FLAG_DROP_FLOW;
1534
1535
/* store ptr to current smsg */
1536
if (alert_msg == NULL) {
1537
alert_msg = smsg_inspect;
1538
p->alerts.alert_msgs = smsg;
1539
}
1540
968
1541
break;
969
1542
}
970
1543
}
974
1547
if (pmatch == 0) {
975
1548
SCLogDebug("no match in smsg, fall back to packet payload");
976
1549
1550
if (sms_runflags & SMS_USED_PM) {
1551
if (s->flags & SIG_FLAG_MPM_PACKET && !(s->flags & SIG_FLAG_MPM_PACKET_NEG) &&
1552
!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] &
1553
s->mpm_pattern_id_mod_8)) {
1554
goto next;
1555
}
1556
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1) {
1557
goto next;
1558
}
1559
} else {
1560
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1)
1561
goto next;
1562
}
1563
}
1564
} else {
1565
if (sms_runflags & SMS_USED_PM) {
1566
if (s->flags & SIG_FLAG_MPM_PACKET && !(s->flags & SIG_FLAG_MPM_PACKET_NEG) &&
1567
!(det_ctx->pmq.pattern_id_bitarray[(s->mpm_pattern_id_div_8)] &
1568
s->mpm_pattern_id_mod_8)) {
1569
goto next;
1570
}
1571
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1) {
1572
goto next;
1573
}
1574
1575
} else {
977
1576
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1)
978
1577
goto next;
979
1578
}
980
} else {
981
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1)
982
goto next;
983
1579
}
984
1580
}
985
1581
986
SCLogDebug("s->amatch %p, s->umatch %p, s->dmatch %p",
987
s->amatch, s->umatch, s->dmatch);
1582
SCLogDebug("s->sm_lists[DETECT_SM_LIST_AMATCH] %p, "
1583
"s->sm_lists[DETECT_SM_LIST_UMATCH] %p, "
1584
"s->sm_lists[DETECT_SM_LIST_DMATCH] %p, "
1585
"s->sm_lists[DETECT_SM_LIST_HCDMATCH] %p",
1586
s->sm_lists[DETECT_SM_LIST_AMATCH],
1587
s->sm_lists[DETECT_SM_LIST_UMATCH],
1588
s->sm_lists[DETECT_SM_LIST_DMATCH],
1589
s->sm_lists[DETECT_SM_LIST_HCDMATCH]);
988
1590
989
if (s->amatch != NULL || s->umatch != NULL || s->dmatch != NULL) {
1591
/* consider stateful sig matches */
1592
if (s->flags & SIG_FLAG_STATE_MATCH) {
990
1593
if (alstate == NULL) {
991
1594
SCLogDebug("state matches but no state, we can't match");
992
1595
goto next;
994
1597
995
1598
if (det_ctx->de_state_sig_array[s->num] == DE_STATE_MATCH_NOSTATE) {
996
1599
SCLogDebug("stateful app layer match inspection starting");
997
if (DeStateDetectStartDetection(th_v, de_ctx, det_ctx, s,
998
p->flow, flags, alstate, alproto) != 1) {
1600
1601
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_STATEFUL);
1602
int de_r = DeStateDetectStartDetection(th_v, de_ctx, det_ctx, s,
1603
p->flow, flags, alstate, alproto, alversion);
1604
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_STATEFUL);
1605
1606
if (de_r != 1) {
999
1607
goto next;
1000
} else {
1001
if (s->action == ACTION_DROP)
1002
alert_flags |= PACKET_ALERT_FLAG_DROP_FLOW;
1003
1608
}
1004
1609
} else {
1005
1610
SCLogDebug("already having a destate");
1008
1613
s->id, (uintmax_t)s->num, DeStateMatchResultToString(det_ctx->de_state_sig_array[s->num]));
1009
1614
if (det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NEW) {
1010
1615
goto next;
1011
} else {
1012
if (s->action == ACTION_DROP)
1013
alert_flags |= PACKET_ALERT_FLAG_DROP_FLOW;
1014
1616
}
1015
1617
}
1618
1619
/* match */
1620
if (s->action == ACTION_DROP)
1621
alert_flags |= PACKET_ALERT_FLAG_DROP_FLOW;
1622
1623
alert_flags |= PACKET_ALERT_FLAG_STATE_MATCH;
1016
1624
}
1017
1625
1018
1626
/* if we get here but have no sigmatches to match against,
1019
1627
* we consider the sig matched. */
1020
if (s->match == NULL) {
1628
if (s->sm_lists[DETECT_SM_LIST_MATCH] == NULL) {
1021
1629
SCLogDebug("signature matched without sigmatches");
1022
1630
1023
1631
fmatch = 1;
1632
1633
DetectReplaceExecute(p, det_ctx->replist);
1634
det_ctx->replist = NULL;
1024
1635
if (!(s->flags & SIG_FLAG_NOALERT)) {
1025
PacketAlertAppend(det_ctx, s, p, alert_flags);
1636
PacketAlertAppend(det_ctx, s, p, alert_flags, NULL);
1026
1637
}
1027
1638
} else {
1028
1639
if (s->flags & SIG_FLAG_RECURSIVE) {
1029
1640
uint8_t rmatch = 0;
1030
det_ctx->pkt_cnt = 0;
1641
uint8_t recursion_cnt = 0;
1031
1642
1032
1643
do {
1033
sm = s->match;
1644
sm = s->sm_lists[DETECT_SM_LIST_MATCH];
1034
1645
while (sm) {
1035
1646
match = sigmatch_table[sm->type].Match(th_v, det_ctx, p, s, sm);
1036
1647
if (match > 0) {
1039
1650
1040
1651
/* only if the last matched as well, we have a hit */
1041
1652
if (sm == NULL) {
1653
1654
DetectReplaceExecute(p, det_ctx->replist);
1655
det_ctx->replist = NULL;
1042
1656
if (!(s->flags & SIG_FLAG_NOALERT)) {
1043
1657
/* only add once */
1044
1658
if (rmatch == 0) {
1045
PacketAlertAppend(det_ctx, s, p, alert_flags);
1659
PacketAlertAppend(det_ctx, s, p, alert_flags, alert_msg);
1046
1660
}
1047
1661
}
1048
1662
rmatch = fmatch = 1;
1049
det_ctx->pkt_cnt++;
1663
recursion_cnt++;
1050
1664
}
1051
1665
} else {
1052
1666
/* done with this sig */
1053
1667
sm = NULL;
1054
1668
rmatch = 0;
1669
1670
DetectReplaceFree(det_ctx->replist);
1671
det_ctx->replist = NULL;
1055
1672
}
1056
1673
}
1057
1674
1058
1675
/* Limit the number of times we do this recursive thing.
1059
1676
* XXX is this a sane limit? Should it be configurable? */
1060
if (det_ctx->pkt_cnt == 10)
1061
goto done;
1677
if (recursion_cnt == 10)
1678
goto next;
1062
1679
} while (rmatch);
1063
1680
1064
1681
} else {
1065
sm = s->match;
1682
sm = s->sm_lists[DETECT_SM_LIST_MATCH];
1066
1683
1067
1684
SCLogDebug("running match functions, sm %p", sm);
1068
1685
while (sm) {
1074
1691
/* only if the last matched as well, we have a hit */
1075
1692
if (sm == NULL) {
1076
1693
fmatch = 1;
1694
DetectReplaceExecute(p, det_ctx->replist);
1695
det_ctx->replist = NULL;
1696
1077
1697
if (!(s->flags & SIG_FLAG_NOALERT)) {
1078
PacketAlertAppend(det_ctx, s, p, alert_flags);
1698
PacketAlertAppend(det_ctx, s, p, alert_flags, alert_msg);
1079
1699
}
1080
1700
}
1081
1701
} else {
1702
DetectReplaceFree(det_ctx->replist);
1703
det_ctx->replist = NULL;
1082
1704
/* done with this sig */
1083
1705
sm = NULL;
1084
1706
}
1090
1712
next:
1091
1713
RULE_PROFILING_END(s, match);
1092
1714
continue;
1093
done:
1094
RULE_PROFILING_END(s, match);
1095
break;
1096
1715
}
1716
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_RULES);
1097
1717
1098
1718
end:
1099
if (p->flow != NULL && alstate != NULL) {
1719
if (alstate != NULL) {
1720
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_STATEFUL);
1100
1721
SCLogDebug("getting de_state_status");
1101
1722
int de_state_status = DeStateUpdateInspectTransactionId(p->flow,
1102
1723
(flags & STREAM_TOSERVER) ? STREAM_TOSERVER : STREAM_TOCLIENT);
1107
1728
DetectEngineStateReset(p->flow->de_state);
1108
1729
SCMutexUnlock(&p->flow->de_state_m);
1109
1730
}
1731
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_STATEFUL);
1110
1732
}
1111
1733
1112
1734
/* so now let's iterate the alerts and remove the ones after a pass rule
1113
1735
* matched (if any). This is done inside PacketAlertFinalize() */
1114
1736
/* PR: installed "tag" keywords are handled after the threshold inspection */
1737
1738
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_ALERT);
1115
1739
PacketAlertFinalize(de_ctx, det_ctx, p);
1116
1740
if (p->alerts.cnt > 0) {
1117
1741
SCPerfCounterAddUI64(det_ctx->counter_alerts, det_ctx->tv->sc_perf_pca, (uint64_t)p->alerts.cnt);
1118
1742
}
1743
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_ALERT);
1119
1744
1745
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_CLEANUP);
1120
1746
/* cleanup pkt specific part of the patternmatcher */
1121
1747
PacketPatternCleanup(th_v, det_ctx);
1122
if (smsg != NULL) {
1123
StreamPatternCleanup(th_v, det_ctx, smsg);
1124
}
1748
1749
DetectEngineCleanHCBDBuffers(det_ctx);
1750
DetectEngineCleanHHDBuffers(det_ctx);
1125
1751
1126
1752
/* store the found sgh (or NULL) in the flow to save us from looking it
1127
1753
* up again for the next packet. Also return any stream chunk we processed
1128
1754
* to the pool. */
1129
if (p->flow != NULL) {
1755
if (p->flags & PKT_HAS_FLOW) {
1756
if (sms_runflags & SMS_USED_STREAM_PM) {
1757
StreamPatternCleanup(th_v, det_ctx, smsg);
1758
}
1759
1130
1760
SCMutexLock(&p->flow->m);
1131
if (no_store_flow_sgh == FALSE) {
1761
if (!(sms_runflags & SMS_USE_FLOW_SGH)) {
1132
1762
if (p->flowflags & FLOW_PKT_TOSERVER && !(p->flow->flags & FLOW_SGH_TOSERVER)) {
1133
1763
p->flow->sgh_toserver = det_ctx->sgh;
1134
1764
p->flow->flags |= FLOW_SGH_TOSERVER;
1138
1768
}
1139
1769
}
1140
1770
1141
/* if we have (a) smsg(s), return to the pool */
1142
while (smsg != NULL) {
1143
StreamMsg *smsg_next = smsg->next;
1144
SCLogDebug("returning smsg %p to pool", smsg);
1145
smsg->next = NULL;
1146
smsg->prev = NULL;
1147
smsg->flow = NULL;
1148
StreamMsgReturnToPool(smsg);
1149
smsg = smsg_next;
1771
/* if we had no alerts that involved the smsgs,
1772
* we can get rid of them now. */
1773
if (p->alerts.alert_msgs == NULL) {
1774
/* if we have (a) smsg(s), return to the pool */
1775
StreamMsgReturnListToPool(smsg);
1150
1776
}
1777
1151
1778
SCMutexUnlock(&p->flow->m);
1152
1779
1153
1780
FlowDecrUsecnt(p->flow);
1154
1781
}
1782
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_CLEANUP);
1155
1783
1156
1784
SCReturnInt(fmatch);
1157
1785
}
1168
1796
*/
1169
1797
TmEcode Detect(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
1170
1798
{
1171
DetectEngineThreadCtx *det_ctx = NULL;
1172
DetectEngineCtx *de_ctx = NULL;
1173
int r = 0;
1174
1175
1799
DEBUG_VALIDATE_PACKET(p);
1176
1800
1177
1801
/* No need to perform any detection on this packet, if the the given flag is set.*/
1178
if (p->flags & PKT_NOPACKET_INSPECTION)
1802
if (p->flags & PKT_NOPACKET_INSPECTION || p->action & ACTION_DROP)
1179
1803
return 0;
1180
1804
1181
det_ctx = (DetectEngineThreadCtx *)data;
1805
DetectEngineThreadCtx *det_ctx = (DetectEngineThreadCtx *)data;
1182
1806
if (det_ctx == NULL) {
1183
1807
printf("ERROR: Detect has no thread ctx\n");
1184
1808
goto error;
1185
1809
}
1186
1810
1187
de_ctx = det_ctx->de_ctx;
1811
DetectEngineCtx *de_ctx = det_ctx->de_ctx;
1188
1812
if (de_ctx == NULL) {
1189
1813
printf("ERROR: Detect has no detection engine ctx\n");
1190
1814
goto error;
1191
1815
}
1192
1816
1193
1817
/* see if the packet matches one or more of the sigs */
1194
r = SigMatchSignatures(tv,de_ctx,det_ctx,p);
1818
int r = SigMatchSignatures(tv,de_ctx,det_ctx,p);
1195
1819
if (r >= 0) {
1196
1820
return TM_ECODE_OK;
1197
1821
}
1269
1893
if (s->alproto != ALPROTO_UNKNOWN)
1270
1894
return 0;
1271
1895
1272
/* for tcp/udp, only consider sigs that don't have ports set, as ip-only */
1273
if (!(s->proto.flags & DETECT_PROTO_ANY)) {
1274
if (s->proto.proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8)) ||
1275
s->proto.proto[IPPROTO_UDP / 8] & (1 << (IPPROTO_UDP % 8))) {
1276
if (!(s->flags & SIG_FLAG_SP_ANY))
1277
return 0;
1278
1279
if (!(s->flags & SIG_FLAG_DP_ANY))
1280
return 0;
1281
/*
1282
} else if ((s->proto.proto[IPPROTO_ICMP / 8] & (1 << (IPPROTO_ICMP % 8))) ||
1283
(s->proto.proto[IPPROTO_ICMPV6 / 8] & (1 << (IPPROTO_ICMPV6 % 8)))) {
1284
SCLogDebug("ICMP sigs are not IP-Only until we support ICMP in flow.");
1285
return 0;
1286
*/
1287
}
1288
}
1289
1290
if (s->pmatch != NULL)
1291
return 0;
1292
1293
if (s->umatch != NULL)
1294
return 0;
1295
1296
if (s->amatch != NULL)
1297
return 0;
1298
1299
SigMatch *sm = s->match;
1896
if (s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL)
1897
return 0;
1898
1899
if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL)
1900
return 0;
1901
1902
if (s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL)
1903
return 0;
1904
1905
if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL)
1906
return 0;
1907
1908
if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL)
1909
return 0;
1910
1911
if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL)
1912
return 0;
1913
1914
if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL)
1915
return 0;
1916
1917
if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL)
1918
return 0;
1919
1920
if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL)
1921
return 0;
1922
1923
SigMatch *sm = s->sm_lists[DETECT_SM_LIST_MATCH];
1300
1924
if (sm == NULL)
1301
1925
goto iponly;
1302
1926
1303
for ( ;sm != NULL; sm = sm->next) {
1927
for ( ; sm != NULL; sm = sm->next) {
1304
1928
if ( !(sigmatch_table[sm->type].flags & SIGMATCH_IPONLY_COMPAT))
1305
1929
return 0;
1930
/* we have enabled flowbits to be compatible with ip only sigs, as long
1931
* as the sig only has a "set" flowbits */
1932
if (sm->type == DETECT_FLOWBITS &&
1933
(((DetectFlowbitsData *)sm->ctx)->cmd != DETECT_FLOWBITS_CMD_SET) ) {
1934
return 0;
1935
}
1306
1936
}
1307
1937
1308
1938
iponly:
1324
1954
*/
1325
1955
static int SignatureIsInspectingPayload(DetectEngineCtx *de_ctx, Signature *s) {
1326
1956
1327
if (s->pmatch != NULL) {
1957
if (s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
1328
1958
return 1;
1329
1959
}
1330
1960
#if 0
1331
SigMatch *sm = s->pmatch;
1961
SigMatch *sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1332
1962
if (sm == NULL)
1333
1963
return 0;
1334
1964
1352
1982
* \retval 1 DEOnly sig
1353
1983
*/
1354
1984
static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, Signature *s) {
1355
if (s->alproto != ALPROTO_UNKNOWN)
1356
return 0;
1357
1358
if (s->pmatch != NULL)
1359
return 0;
1360
1361
if (s->umatch != NULL)
1362
return 0;
1363
1364
if (s->amatch != NULL)
1365
return 0;
1366
1367
SigMatch *sm = s->match;
1985
if (s->alproto != ALPROTO_UNKNOWN) {
1986
SCReturnInt(0);
1987
}
1988
1989
if (s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL ||
1990
s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL ||
1991
s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL ||
1992
s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL ||
1993
s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL ||
1994
s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL ||
1995
s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL ||
1996
s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL ||
1997
s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL)
1998
{
1999
SCReturnInt(0);
2000
}
2001
1368
2002
/* check for conflicting keywords */
2003
SigMatch *sm = s->sm_lists[DETECT_SM_LIST_MATCH];
1369
2004
for ( ;sm != NULL; sm = sm->next) {
1370
2005
if ( !(sigmatch_table[sm->type].flags & SIGMATCH_DEONLY_COMPAT))
1371
return 0;
2006
SCReturnInt(0);
1372
2007
}
1373
2008
1374
sm = s->match;
1375
2009
/* need at least one decode event keyword to be condered decode event. */
2010
sm = s->sm_lists[DETECT_SM_LIST_MATCH];
1376
2011
for ( ;sm != NULL; sm = sm->next) {
1377
2012
if (sm->type == DETECT_DECODE_EVENT)
1378
2013
goto deonly;
2014
if (sm->type == DETECT_ENGINE_EVENT)
2015
goto deonly;
2016
if (sm->type == DETECT_STREAM_EVENT)
2017
goto deonly;
1379
2018
}
1380
return 0;
2019
2020
SCReturnInt(0);
1381
2021
1382
2022
deonly:
1383
2023
if (!(de_ctx->flags & DE_QUIET)) {
1386
2026
s->flags & SIG_FLAG_DST_ANY ? "ANY" : "SET");
1387
2027
}
1388
2028
1389
return 1;
2029
SCReturnInt(1);
2030
}
2031
2032
#define MASK_TCP_INITDEINIT_FLAGS (TH_SYN|TH_RST|TH_FIN)
2033
#define MASK_TCP_UNUSUAL_FLAGS (TH_URG|TH_ECN|TH_CWR)
2034
2035
/* Create mask for this packet + it's flow if it has one
2036
*
2037
* Sets SIG_MASK_REQUIRE_PAYLOAD, SIG_MASK_REQUIRE_FLOW,
2038
* SIG_MASK_REQUIRE_HTTP_STATE, SIG_MASK_REQUIRE_DCE_STATE
2039
*/
2040
static void
2041
PacketCreateMask(Packet *p, SignatureMask *mask, uint16_t alproto, void *alstate, StreamMsg *smsg) {
2042
if (!(p->flags & PKT_NOPAYLOAD_INSPECTION) && (p->payload_len > 0 || smsg != NULL)) {
2043
SCLogDebug("packet has payload");
2044
(*mask) |= SIG_MASK_REQUIRE_PAYLOAD;
2045
} else {
2046
SCLogDebug("packet has no payload");
2047
(*mask) |= SIG_MASK_REQUIRE_NO_PAYLOAD;
2048
}
2049
2050
if (PKT_IS_TCP(p)) {
2051
if ((p->tcph->th_flags & MASK_TCP_INITDEINIT_FLAGS) != 0) {
2052
(*mask) |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
2053
}
2054
if ((p->tcph->th_flags & MASK_TCP_UNUSUAL_FLAGS) != 0) {
2055
(*mask) |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
2056
}
2057
}
2058
2059
if (p->flags & PKT_HAS_FLOW) {
2060
SCLogDebug("packet has flow");
2061
(*mask) |= SIG_MASK_REQUIRE_FLOW;
2062
2063
if (alstate != NULL) {
2064
switch(alproto) {
2065
case ALPROTO_HTTP:
2066
SCLogDebug("packet/flow has http state");
2067
(*mask) |= SIG_MASK_REQUIRE_HTTP_STATE;
2068
break;
2069
case ALPROTO_SMB:
2070
case ALPROTO_SMB2:
2071
case ALPROTO_DCERPC:
2072
SCLogDebug("packet/flow has dce state");
2073
(*mask) |= SIG_MASK_REQUIRE_DCE_STATE;
2074
break;
2075
default:
2076
SCLogDebug("packet/flow has other state");
2077
break;
2078
}
2079
} else {
2080
SCLogDebug("no alstate");
2081
}
2082
}
2083
}
2084
2085
static int SignatureCreateMask(Signature *s) {
2086
SCEnter();
2087
2088
if (s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
2089
s->mask |= SIG_MASK_REQUIRE_PAYLOAD;
2090
SCLogDebug("sig requires payload");
2091
}
2092
2093
if (s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL) {
2094
s->mask |= SIG_MASK_REQUIRE_DCE_STATE;
2095
SCLogDebug("sig requires dce state");
2096
}
2097
2098
if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL) {
2099
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
2100
SCLogDebug("sig requires http state");
2101
}
2102
2103
if (s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL) {
2104
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
2105
SCLogDebug("sig requires http app state");
2106
}
2107
2108
if (s->sm_lists[DETECT_SM_LIST_HHDMATCH] != NULL) {
2109
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
2110
SCLogDebug("sig requires http app state");
2111
}
2112
2113
if (s->sm_lists[DETECT_SM_LIST_HRHDMATCH] != NULL) {
2114
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
2115
SCLogDebug("sig requires http app state");
2116
}
2117
2118
if (s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL) {
2119
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
2120
SCLogDebug("sig requires http app state");
2121
}
2122
2123
if (s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL) {
2124
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
2125
SCLogDebug("sig requires http app state");
2126
}
2127
2128
if (s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) {
2129
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
2130
SCLogDebug("sig requires http app state");
2131
}
2132
2133
SigMatch *sm;
2134
for (sm = s->sm_lists[DETECT_SM_LIST_AMATCH] ; sm != NULL; sm = sm->next) {
2135
switch(sm->type) {
2136
case DETECT_AL_HTTP_COOKIE:
2137
case DETECT_AL_HTTP_METHOD:
2138
case DETECT_AL_URILEN:
2139
case DETECT_AL_HTTP_CLIENT_BODY:
2140
case DETECT_AL_HTTP_HEADER:
2141
case DETECT_AL_HTTP_RAW_HEADER:
2142
case DETECT_AL_HTTP_URI:
2143
case DETECT_AL_HTTP_RAW_URI:
2144
case DETECT_PCRE_HTTPBODY:
2145
case DETECT_PCRE_HTTPCOOKIE:
2146
case DETECT_PCRE_HTTPHEADER:
2147
case DETECT_PCRE_HTTPMETHOD:
2148
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
2149
SCLogDebug("sig requires dce http state");
2150
break;
2151
}
2152
}
2153
2154
for (sm = s->sm_lists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
2155
switch(sm->type) {
2156
case DETECT_FLOWBITS:
2157
{
2158
/* figure out what flowbit action */
2159
DetectFlowbitsData *fb = (DetectFlowbitsData *)sm->ctx;
2160
if (fb->cmd == DETECT_FLOWBITS_CMD_ISSET) {
2161
/* not a mask flag, but still set it here */
2162
s->flags |= SIG_FLAG_REQUIRE_FLOWVAR;
2163
2164
SCLogDebug("SIG_FLAG_REQUIRE_FLOWVAR set as sig has "
2165
"flowbit isset option.");
2166
}
2167
2168
/* flow is required for any flowbit manipulation */
2169
s->mask |= SIG_MASK_REQUIRE_FLOW;
2170
SCLogDebug("sig requires flow to be able to manipulate "
2171
"flowbit(s)");
2172
break;
2173
}
2174
case DETECT_FLAGS:
2175
{
2176
DetectFlagsData *fl = (DetectFlagsData *)sm->ctx;
2177
2178
if (fl->flags & TH_SYN) {
2179
s->mask |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
2180
SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT");
2181
}
2182
if (fl->flags & TH_RST) {
2183
s->mask |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
2184
SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT");
2185
}
2186
if (fl->flags & TH_FIN) {
2187
s->mask |= SIG_MASK_REQUIRE_FLAGS_INITDEINIT;
2188
SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_INITDEINIT");
2189
}
2190
if (fl->flags & TH_URG) {
2191
s->mask |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
2192
SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL");
2193
}
2194
if (fl->flags & TH_ECN) {
2195
s->mask |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
2196
SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL");
2197
}
2198
if (fl->flags & TH_CWR) {
2199
s->mask |= SIG_MASK_REQUIRE_FLAGS_UNUSUAL;
2200
SCLogDebug("sig requires SIG_MASK_REQUIRE_FLAGS_UNUSUAL");
2201
}
2202
break;
2203
}
2204
case DETECT_DSIZE:
2205
{
2206
DetectDsizeData *ds = (DetectDsizeData *)sm->ctx;
2207
switch (ds->mode) {
2208
case DETECTDSIZE_LT:
2209
/* LT will include 0, so no payload.
2210
* if GT is used in the same rule the
2211
* flag will be set anyway. */
2212
break;
2213
case DETECTDSIZE_RA:
2214
case DETECTDSIZE_GT:
2215
s->mask |= SIG_MASK_REQUIRE_PAYLOAD;
2216
SCLogDebug("sig requires payload");
2217
break;
2218
case DETECTDSIZE_EQ:
2219
if (ds->dsize > 0) {
2220
s->mask |= SIG_MASK_REQUIRE_PAYLOAD;
2221
SCLogDebug("sig requires payload");
2222
} else if (ds->dsize == 0) {
2223
s->mask |= SIG_MASK_REQUIRE_NO_PAYLOAD;
2224
SCLogDebug("sig requires no payload");
2225
}
2226
break;
2227
}
2228
break;
2229
}
2230
}
2231
}
2232
2233
if (s->mask & SIG_MASK_REQUIRE_DCE_STATE ||
2234
s->mask & SIG_MASK_REQUIRE_HTTP_STATE)
2235
{
2236
s->mask |= SIG_MASK_REQUIRE_FLOW;
2237
SCLogDebug("sig requires flow");
2238
}
2239
2240
if (s->init_flags & SIG_FLAG_FLOW) {
2241
s->mask |= SIG_MASK_REQUIRE_FLOW;
2242
SCLogDebug("sig requires flow");
2243
}
2244
2245
if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
2246
s->mask |= SIG_MASK_REQUIRE_FLOW;
2247
SCLogDebug("sig requires flow");
2248
}
2249
2250
if (s->flags & SIG_FLAG_APPLAYER) {
2251
s->mask |= SIG_MASK_REQUIRE_FLOW;
2252
SCLogDebug("sig requires flow");
2253
}
2254
2255
SCLogDebug("mask %02X", s->mask);
2256
SCReturnInt(0);
2257
}
2258
2259
static void SigInitStandardMpmFactoryContexts(DetectEngineCtx *de_ctx)
2260
{
2261
de_ctx->sgh_mpm_context_packet =
2262
MpmFactoryRegisterMpmCtxProfile("packet",
2263
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
2264
de_ctx->sgh_mpm_context_uri =
2265
MpmFactoryRegisterMpmCtxProfile("uri",
2266
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
2267
de_ctx->sgh_mpm_context_stream =
2268
MpmFactoryRegisterMpmCtxProfile("stream",
2269
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
2270
de_ctx->sgh_mpm_context_hcbd =
2271
MpmFactoryRegisterMpmCtxProfile("hcbd",
2272
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
2273
de_ctx->sgh_mpm_context_hhd =
2274
MpmFactoryRegisterMpmCtxProfile("hhd",
2275
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
2276
de_ctx->sgh_mpm_context_hrhd =
2277
MpmFactoryRegisterMpmCtxProfile("hrhd",
2278
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
2279
de_ctx->sgh_mpm_context_hmd =
2280
MpmFactoryRegisterMpmCtxProfile("hmd",
2281
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
2282
de_ctx->sgh_mpm_context_hcd =
2283
MpmFactoryRegisterMpmCtxProfile("hcd",
2284
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
2285
de_ctx->sgh_mpm_context_hrud =
2286
MpmFactoryRegisterMpmCtxProfile("hrud",
2287
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
2288
de_ctx->sgh_mpm_context_app_proto_detect =
2289
MpmFactoryRegisterMpmCtxProfile("app_proto_detect", 0);
2290
2291
return;
1390
2292
}
1391
2293
1392
2294
/**
1439
2341
1440
2342
/* see if any sig is inspecting the packet payload */
1441
2343
} else if (SignatureIsInspectingPayload(de_ctx, tmp_s) == 1) {
1442
tmp_s->flags |= SIG_FLAG_PAYLOAD;
2344
tmp_s->init_flags |= SIG_FLAG_PAYLOAD;
1443
2345
cnt_payload++;
1444
2346
1445
2347
SCLogDebug("Signature %"PRIu32" is considered \"Payload inspecting\"", tmp_s->id);
1446
2348
} else if (SignatureIsDEOnly(de_ctx, tmp_s) == 1) {
1447
tmp_s->flags |= SIG_FLAG_DEONLY;
2349
tmp_s->init_flags |= SIG_FLAG_DEONLY;
1448
2350
SCLogDebug("Signature %"PRIu32" is considered \"Decoder Event only\"", tmp_s->id);
1449
2351
cnt_deonly++;
1450
2352
}
1460
2362
char copresent = 0;
1461
2363
SigMatch *sm;
1462
2364
DetectContentData *co;
1463
for (sm = tmp_s->match; sm != NULL; sm = sm->next) {
2365
for (sm = tmp_s->sm_lists[DETECT_SM_LIST_MATCH]; sm != NULL; sm = sm->next) {
1464
2366
if (sm->type != DETECT_CONTENT)
1465
2367
continue;
1466
2368
1481
2383
}
1482
2384
#endif /* DEBUG */
1483
2385
2386
SignatureCreateMask(tmp_s);
1484
2387
1485
2388
for (gr = tmp_s->src.ipv4_head; gr != NULL; gr = gr->next) {
1486
2389
if (SigGroupHeadAppendSig(de_ctx, &gr->sh, tmp_s) < 0) {
1517
2420
cnt_deonly);
1518
2421
1519
2422
SCLogInfo("building signature grouping structure, stage 1: "
1520
"adding signatures to signature source addresses... done");
2423
"adding signatures to signature source addresses... complete");
1521
2424
}
1522
2425
return 0;
1523
2426
1590
2493
static int DetectEngineLookupFlowAddSig(DetectEngineCtx *de_ctx, Signature *s, int family) {
1591
2494
uint8_t flags = 0;
1592
2495
1593
if (s->flags & SIG_FLAG_FLOW) {
1594
SigMatch *sm = s->match;
2496
if (s->init_flags & SIG_FLAG_FLOW) {
2497
SigMatch *sm = s->sm_lists[DETECT_SM_LIST_MATCH];
1595
2498
for ( ; sm != NULL; sm = sm->next) {
1596
2499
if (sm->type != DETECT_FLOW)
1597
2500
continue;
1679
2582
char insert = 0;
1680
2583
DetectAddress *gr, *next_gr;
1681
2584
uint32_t groups = 0;
1682
uint32_t u = 0;
1683
2585
1684
2586
/* insert the addresses into the tmplist, where it will
1685
2587
* be sorted descending on 'cnt'. */
1711
2613
tmplist = newtmp;
1712
2614
} else {
1713
2615
/* look for the place to insert */
1714
for ( ; tmpgr != NULL && !insert; tmpgr = tmpgr->next) {
2616
for ( ; tmpgr != NULL&&!insert; tmpgr = tmpgr->next) {
1715
2617
if (CompareFunc(gr, tmpgr)) {
1716
if (prevtmpgr == NULL) {
2618
if (tmpgr == tmplist) {
1717
2619
newtmp->next = tmplist;
1718
2620
tmplist = newtmp;
1719
2621
} else {
1732
2634
}
1733
2635
}
1734
2636
1735
u = unique_groups;
1736
if (u == 0)
1737
u = groups;
2637
uint32_t i = unique_groups;
2638
if (i == 0) i = groups;
1738
2639
1739
2640
for (gr = tmplist; gr != NULL; ) {
1740
2641
BUG_ON(gr->ip.family == 0 && !(gr->flags & ADDRESS_FLAG_ANY));
1741
2642
1742
if (u == 0) {
2643
if (i == 0) {
1743
2644
if (joingr == NULL) {
1744
2645
joingr = DetectAddressCopy(gr);
1745
2646
if (joingr == NULL) {
1777
2678
tmplist2 = newtmp;
1778
2679
}
1779
2680
}
1780
if (u)
1781
u--;
2681
if (i)i--;
1782
2682
1783
2683
next_gr = gr->next;
1784
2684
DetectAddressFree(gr);
1850
2750
char insert = 0;
1851
2751
DetectPort *gr, *next_gr;
1852
2752
uint32_t groups = 0;
1853
uint32_t u = 0;
1854
2753
1855
2754
HashListTableBucket *htb = HashListTableGetListHead(port_hash);
1856
2755
1880
2779
tmplist = newtmp;
1881
2780
} else {
1882
2781
/* look for the place to insert */
1883
for ( ; tmpgr != NULL && !insert; tmpgr = tmpgr->next) {
2782
for ( ; tmpgr != NULL&&!insert; tmpgr = tmpgr->next) {
1884
2783
if (CompareFunc(gr, tmpgr)) {
1885
if (prevtmpgr == NULL) {
2784
if (tmpgr == tmplist) {
1886
2785
newtmp->next = tmplist;
1887
2786
tmplist = newtmp;
1888
2787
} else {
1901
2800
}
1902
2801
}
1903
2802
1904
u = unique_groups;
1905
if (u == 0)
1906
u = groups;
2803
uint32_t i = unique_groups;
2804
if (i == 0) i = groups;
1907
2805
1908
2806
if (unique_groups > g_groupportlist_maxgroups)
1909
2807
g_groupportlist_maxgroups = unique_groups;
1914
2812
SCLogDebug("temp list gr %p", gr);
1915
2813
DetectPortPrint(gr);
1916
2814
1917
if (u == 0) {
2815
if (i == 0) {
1918
2816
if (joingr == NULL) {
1919
2817
joingr = DetectPortCopySingle(de_ctx,gr);
1920
2818
if (joingr == NULL) {
1936
2834
tmplist2 = newtmp;
1937
2835
}
1938
2836
}
1939
if (u)
1940
u--;
2837
if (i)i--;
1941
2838
1942
2839
next_gr = gr->next;
1943
2840
gr->next = NULL;
2003
2900
*/
2004
2901
int SigAddressPrepareStage2(DetectEngineCtx *de_ctx) {
2005
2902
Signature *tmp_s = NULL;
2006
DetectAddress *gr = NULL;
2007
2903
uint32_t sigs = 0;
2008
int f, proto;
2009
uint32_t cnt_any = 0;
2010
uint32_t cnt_ipv4 = 0;
2011
uint32_t cnt_ipv6 = 0;
2012
2904
2013
2905
if (!(de_ctx->flags & DE_QUIET)) {
2014
SCLogInfo("building signature grouping structure, stage 2: "
2906
SCLogDebug("building signature grouping structure, stage 2: "
2015
2907
"building source address lists...");
2016
2908
}
2017
2909
2018
2910
IPOnlyInit(de_ctx, &de_ctx->io_ctx);
2019
2911
2912
int f, proto;
2020
2913
for (f = 0; f < FLOW_STATES; f++) {
2021
2914
for (proto = 0; proto < 256; proto++) {
2022
2915
de_ctx->flow_gh[f].src_gh[proto] = DetectAddressHeadInit();
2035
2928
SCLogDebug("tmp_s->id %"PRIu32, tmp_s->id);
2036
2929
if (tmp_s->flags & SIG_FLAG_IPONLY) {
2037
2930
IPOnlyAddSignature(de_ctx, &de_ctx->io_ctx, tmp_s);
2038
} else if (tmp_s->flags & SIG_FLAG_DEONLY) {
2931
} else if (tmp_s->init_flags & SIG_FLAG_DEONLY) {
2039
2932
DetectEngineAddDecoderEventSig(de_ctx, tmp_s);
2040
2933
} else {
2041
2934
DetectEngineLookupFlowAddSig(de_ctx, tmp_s, AF_INET);
2078
2971
2079
2972
IPOnlyPrepare(de_ctx);
2080
2973
IPOnlyPrint(de_ctx, &de_ctx->io_ctx);
2081
2974
#ifdef DEBUG
2975
DetectAddress *gr = NULL;
2082
2976
if (!(de_ctx->flags & DE_QUIET)) {
2083
SCLogInfo("%" PRIu32 " total signatures:", sigs);
2977
SCLogDebug("%" PRIu32 " total signatures:", sigs);
2084
2978
}
2085
2979
2086
2980
/* TCP */
2087
for (f = 0; f < FLOW_STATES; f++) {
2088
for (gr = de_ctx->flow_gh[f].src_gh[6]->any_head; gr != NULL; gr = gr->next) {
2089
cnt_any++;
2090
}
2091
}
2092
for (f = 0; f < FLOW_STATES; f++) {
2093
for (gr = de_ctx->flow_gh[f].src_gh[6]->ipv4_head; gr != NULL; gr = gr->next) {
2094
cnt_ipv4++;
2095
}
2096
}
2097
for (f = 0; f < FLOW_STATES; f++) {
2098
for (gr = de_ctx->flow_gh[f].src_gh[6]->ipv6_head; gr != NULL; gr = gr->next) {
2099
cnt_ipv6++;
2100
}
2101
}
2102
if (!(de_ctx->flags & DE_QUIET)) {
2103
SCLogInfo("TCP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6);
2104
}
2105
2106
cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0;
2107
for (f = 0; f < FLOW_STATES; f++) {
2108
for (gr = de_ctx->flow_gh[f].src_gh[17]->any_head; gr != NULL; gr = gr->next) {
2109
cnt_any++;
2110
}
2111
}
2112
for (f = 0; f < FLOW_STATES; f++) {
2113
for (gr = de_ctx->flow_gh[f].src_gh[17]->ipv4_head; gr != NULL; gr = gr->next) {
2114
cnt_ipv4++;
2115
}
2116
}
2117
for (f = 0; f < FLOW_STATES; f++) {
2118
for (gr = de_ctx->flow_gh[f].src_gh[17]->ipv6_head; gr != NULL; gr = gr->next) {
2119
cnt_ipv6++;
2120
}
2121
}
2122
if (!(de_ctx->flags & DE_QUIET)) {
2123
SCLogInfo("UDP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6);
2124
}
2125
2981
uint32_t cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0;
2982
for (f = 0; f < FLOW_STATES; f++) {
2983
for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_TCP]->any_head; gr != NULL; gr = gr->next) {
2984
cnt_any++;
2985
}
2986
}
2987
for (f = 0; f < FLOW_STATES; f++) {
2988
for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_TCP]->ipv4_head; gr != NULL; gr = gr->next) {
2989
cnt_ipv4++;
2990
}
2991
}
2992
for (f = 0; f < FLOW_STATES; f++) {
2993
for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_TCP]->ipv6_head; gr != NULL; gr = gr->next) {
2994
cnt_ipv6++;
2995
}
2996
}
2997
if (!(de_ctx->flags & DE_QUIET)) {
2998
SCLogDebug("TCP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6);
2999
}
3000
3001
cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0;
3002
/* UDP */
3003
for (f = 0; f < FLOW_STATES; f++) {
3004
for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_UDP]->any_head; gr != NULL; gr = gr->next) {
3005
cnt_any++;
3006
}
3007
}
3008
for (f = 0; f < FLOW_STATES; f++) {
3009
for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_UDP]->ipv4_head; gr != NULL; gr = gr->next) {
3010
cnt_ipv4++;
3011
}
3012
}
3013
for (f = 0; f < FLOW_STATES; f++) {
3014
for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_UDP]->ipv6_head; gr != NULL; gr = gr->next) {
3015
cnt_ipv6++;
3016
}
3017
}
3018
if (!(de_ctx->flags & DE_QUIET)) {
3019
SCLogDebug("UDP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6);
3020
}
3021
3022
cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0;
3023
/* SCTP */
3024
for (f = 0; f < FLOW_STATES; f++) {
3025
for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP]->any_head; gr != NULL; gr = gr->next) {
3026
cnt_any++;
3027
}
3028
}
3029
for (f = 0; f < FLOW_STATES; f++) {
3030
for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP]->ipv4_head; gr != NULL; gr = gr->next) {
3031
cnt_ipv4++;
3032
}
3033
}
3034
for (f = 0; f < FLOW_STATES; f++) {
3035
for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP]->ipv6_head; gr != NULL; gr = gr->next) {
3036
cnt_ipv6++;
3037
}
3038
}
3039
if (!(de_ctx->flags & DE_QUIET)) {
3040
SCLogDebug("SCTP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6);
3041
}
3042
3043
/* ICMP */
2126
3044
cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0;
2127
3045
for (f = 0; f < FLOW_STATES; f++) {
2128
3046
for (gr = de_ctx->flow_gh[f].src_gh[1]->any_head; gr != NULL; gr = gr->next) {
2140
3058
}
2141
3059
}
2142
3060
if (!(de_ctx->flags & DE_QUIET)) {
2143
SCLogInfo("ICMP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6);
3061
SCLogDebug("ICMP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6);
2144
3062
}
2145
3063
#endif /* DEBUG */
2146
3064
if (!(de_ctx->flags & DE_QUIET)) {
2147
SCLogInfo("building signature grouping structure, stage 2: building source address list... done");
3065
SCLogInfo("building signature grouping structure, stage 2: building source address list... complete");
2148
3066
}
2149
3067
2150
3068
return 0;
2239
3157
SigGroupHeadSetSigCnt(sgr->sh, max_idx);
2240
3158
SigGroupHeadBuildMatchArray(de_ctx, sgr->sh, max_idx);
2241
3159
2242
/* content */
2243
SigGroupHeadLoadContent(de_ctx, sgr->sh);
2244
if (sgr->sh->init->content_size == 0) {
2245
de_ctx->mpm_none++;
2246
} else {
2247
/* now have a look if we can reuse a mpm ctx */
2248
SigGroupHead *mpmsh = SigGroupHeadMpmHashLookup(de_ctx, sgr->sh);
2249
if (mpmsh == NULL) {
2250
SigGroupHeadMpmHashAdd(de_ctx, sgr->sh);
2251
2252
de_ctx->mpm_unique++;
2253
} else {
2254
sgr->sh->mpm_ctx = mpmsh->mpm_ctx;
2255
sgr->sh->flags |= SIG_GROUP_HEAD_MPM_COPY;
2256
SigGroupHeadClearContent(sgr->sh);
2257
2258
de_ctx->mpm_reuse++;
2259
}
2260
}
2261
2262
/* content */
2263
SigGroupHeadLoadStreamContent(de_ctx, sgr->sh);
2264
if (sgr->sh->init->stream_content_size == 0) {
2265
de_ctx->mpm_none++;
2266
} else {
2267
/* now have a look if we can reuse a mpm ctx */
2268
SigGroupHead *mpmsh = SigGroupHeadMpmStreamHashLookup(de_ctx, sgr->sh);
2269
if (mpmsh == NULL) {
2270
SigGroupHeadMpmStreamHashAdd(de_ctx, sgr->sh);
2271
2272
de_ctx->mpm_unique++;
2273
} else {
2274
sgr->sh->mpm_stream_ctx = mpmsh->mpm_stream_ctx;
2275
sgr->sh->flags |= SIG_GROUP_HEAD_MPM_STREAM_COPY;
2276
SigGroupHeadClearStreamContent(sgr->sh);
2277
2278
de_ctx->mpm_reuse++;
2279
}
2280
}
2281
2282
/* uricontent */
2283
SigGroupHeadLoadUricontent(de_ctx, sgr->sh);
2284
if (sgr->sh->init->uri_content_size == 0) {
2285
de_ctx->mpm_uri_none++;
2286
} else {
2287
/* now have a look if we can reuse a uri mpm ctx */
2288
SigGroupHead *mpmsh = SigGroupHeadMpmUriHashLookup(de_ctx, sgr->sh);
2289
if (mpmsh == NULL) {
2290
SigGroupHeadMpmUriHashAdd(de_ctx, sgr->sh);
2291
de_ctx->mpm_uri_unique++;
2292
} else {
2293
sgr->sh->mpm_uri_ctx = mpmsh->mpm_uri_ctx;
2294
sgr->sh->flags |= SIG_GROUP_HEAD_MPM_URI_COPY;
2295
SigGroupHeadClearUricontent(sgr->sh);
2296
2297
de_ctx->mpm_uri_reuse++;
2298
}
2299
}
2300
2301
3160
/* init the pattern matcher, this will respect the copy
2302
3161
* setting */
2303
3162
if (PatternMatchPrepareGroup(de_ctx, sgr->sh) < 0) {
2549
3408
SigGroupHeadSetSigCnt(dp->sh, max_idx);
2550
3409
SigGroupHeadBuildMatchArray(de_ctx,dp->sh, max_idx);
2551
3410
2552
SigGroupHeadLoadContent(de_ctx, dp->sh);
2553
if (dp->sh->init->content_size == 0) {
2554
de_ctx->mpm_none++;
2555
} else {
2556
/* now have a look if we can reuse a mpm ctx */
2557
SigGroupHead *mpmsh = SigGroupHeadMpmHashLookup(de_ctx, dp->sh);
2558
if (mpmsh == NULL) {
2559
SigGroupHeadMpmHashAdd(de_ctx, dp->sh);
2560
2561
de_ctx->mpm_unique++;
2562
} else {
2563
/* XXX write dedicated function for this */
2564
dp->sh->mpm_ctx = mpmsh->mpm_ctx;
2565
//SCLogDebug("replacing dp->sh, so setting mpm_content_maxlen to %u (was %u)", mpmsh->mpm_content_maxlen, dp->sh->mpm_content_maxlen);
2566
//dp->sh->mpm_content_maxlen = mpmsh->mpm_content_maxlen;
2567
dp->sh->flags |= SIG_GROUP_HEAD_MPM_COPY;
2568
SigGroupHeadClearContent(dp->sh);
2569
2570
de_ctx->mpm_reuse++;
2571
}
2572
}
2573
2574
/* content */
2575
SigGroupHeadLoadStreamContent(de_ctx, dp->sh);
2576
if (dp->sh->init->stream_content_size == 0) {
2577
de_ctx->mpm_none++;
2578
} else {
2579
/* now have a look if we can reuse a mpm ctx */
2580
SigGroupHead *mpmsh = SigGroupHeadMpmStreamHashLookup(de_ctx, dp->sh);
2581
if (mpmsh == NULL) {
2582
SigGroupHeadMpmStreamHashAdd(de_ctx, dp->sh);
2583
2584
de_ctx->mpm_unique++;
2585
} else {
2586
SCLogDebug("replacing mpm_stream_ctx %p by %p", dp->sh->mpm_stream_ctx, mpmsh->mpm_stream_ctx);
2587
dp->sh->mpm_stream_ctx = mpmsh->mpm_stream_ctx;
2588
dp->sh->flags |= SIG_GROUP_HEAD_MPM_STREAM_COPY;
2589
SigGroupHeadClearStreamContent(dp->sh);
2590
2591
de_ctx->mpm_reuse++;
2592
}
2593
}
2594
2595
SigGroupHeadLoadUricontent(de_ctx, dp->sh);
2596
if (dp->sh->init->uri_content_size == 0) {
2597
de_ctx->mpm_uri_none++;
2598
} else {
2599
/* now have a look if we can reuse a uri mpm ctx */
2600
SigGroupHead *mpmsh = SigGroupHeadMpmUriHashLookup(de_ctx, dp->sh);
2601
if (mpmsh == NULL) {
2602
SigGroupHeadMpmUriHashAdd(de_ctx, dp->sh);
2603
2604
de_ctx->mpm_uri_unique++;
2605
} else {
2606
dp->sh->mpm_uri_ctx = mpmsh->mpm_uri_ctx;
2607
dp->sh->flags |= SIG_GROUP_HEAD_MPM_URI_COPY;
2608
SigGroupHeadClearUricontent(dp->sh);
2609
2610
de_ctx->mpm_uri_reuse++;
2611
}
2612
}
2613
3411
/* init the pattern matcher, this will respect the copy
2614
3412
* setting */
2615
3413
if (PatternMatchPrepareGroup(de_ctx, dp->sh) < 0) {
2722
3520
int r;
2723
3521
2724
3522
if (!(de_ctx->flags & DE_QUIET)) {
2725
SCLogInfo("building signature grouping structure, stage 3: "
3523
SCLogDebug("building signature grouping structure, stage 3: "
2726
3524
"building destination address lists...");
2727
3525
}
2728
3526
//DetectAddressPrintMemory();
2732
3530
int f = 0;
2733
3531
int proto;
2734
3532
for (f = 0; f < FLOW_STATES; f++) {
2735
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[6],AF_INET,f);
2736
if (r < 0) {
2737
printf ("BuildDestinationAddressHeads(src_gh[6],AF_INET) failed\n");
2738
goto error;
2739
}
2740
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[17],AF_INET,f);
2741
if (r < 0) {
2742
printf ("BuildDestinationAddressHeads(src_gh[17],AF_INET) failed\n");
2743
goto error;
2744
}
2745
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[6],AF_INET6,f);
2746
if (r < 0) {
2747
printf ("BuildDestinationAddressHeads(src_gh[6],AF_INET) failed\n");
2748
goto error;
2749
}
2750
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[17],AF_INET6,f);
2751
if (r < 0) {
2752
printf ("BuildDestinationAddressHeads(src_gh[17],AF_INET) failed\n");
2753
goto error;
2754
}
2755
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[6],AF_UNSPEC,f);
2756
if (r < 0) {
2757
printf ("BuildDestinationAddressHeads(src_gh[6],AF_INET) failed\n");
2758
goto error;
2759
}
2760
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[17],AF_UNSPEC,f);
2761
if (r < 0) {
2762
printf ("BuildDestinationAddressHeads(src_gh[17],AF_INET) failed\n");
3533
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_TCP],AF_INET,f);
3534
if (r < 0) {
3535
printf ("BuildDestinationAddressHeads(src_gh[6],AF_INET) failed\n");
3536
goto error;
3537
}
3538
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_UDP],AF_INET,f);
3539
if (r < 0) {
3540
printf ("BuildDestinationAddressHeads(src_gh[17],AF_INET) failed\n");
3541
goto error;
3542
}
3543
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP],AF_INET,f);
3544
if (r < 0) {
3545
printf ("BuildDestinationAddressHeads(src_gh[IPPROTO_SCTP],AF_INET) failed\n");
3546
goto error;
3547
}
3548
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_TCP],AF_INET6,f);
3549
if (r < 0) {
3550
printf ("BuildDestinationAddressHeads(src_gh[6],AF_INET) failed\n");
3551
goto error;
3552
}
3553
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_UDP],AF_INET6,f);
3554
if (r < 0) {
3555
printf ("BuildDestinationAddressHeads(src_gh[17],AF_INET) failed\n");
3556
goto error;
3557
}
3558
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP],AF_INET6,f);
3559
if (r < 0) {
3560
printf ("BuildDestinationAddressHeads(src_gh[IPPROTO_SCTP],AF_INET) failed\n");
3561
goto error;
3562
}
3563
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_TCP],AF_UNSPEC,f);
3564
if (r < 0) {
3565
printf ("BuildDestinationAddressHeads(src_gh[6],AF_INET) failed\n");
3566
goto error;
3567
}
3568
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_UDP],AF_UNSPEC,f);
3569
if (r < 0) {
3570
printf ("BuildDestinationAddressHeads(src_gh[17],AF_INET) failed\n");
3571
goto error;
3572
}
3573
r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP],AF_UNSPEC,f);
3574
if (r < 0) {
3575
printf ("BuildDestinationAddressHeads(src_gh[IPPROTO_SCTP],AF_INET) failed\n");
2763
3576
goto error;
2764
3577
}
2765
3578
for (proto = 0; proto < 256; proto++) {
2766
if (proto == IPPROTO_TCP || proto == IPPROTO_UDP)
3579
if (proto == IPPROTO_TCP || proto == IPPROTO_UDP || proto == IPPROTO_SCTP)
2767
3580
continue;
2768
3581
2769
3582
r = BuildDestinationAddressHeads(de_ctx, de_ctx->flow_gh[f].src_gh[proto],AF_INET,f);
2809
3622
de_ctx->mpm_unique ? de_ctx->mpm_memory_size / de_ctx->mpm_unique: 0);
2810
3623
2811
3624
SCLogInfo("max sig id %" PRIu32 ", array size %" PRIu32 "", DetectEngineGetMaxSigId(de_ctx), DetectEngineGetMaxSigId(de_ctx) / 8 + 1);
2812
SCLogInfo("signature group heads: unique %" PRIu32 ", copies %" PRIu32 ".", de_ctx->gh_unique, de_ctx->gh_reuse);
2813
SCLogInfo("MPM instances: %" PRIu32 " unique, copies %" PRIu32 " (none %" PRIu32 ").",
3625
SCLogDebug("signature group heads: unique %" PRIu32 ", copies %" PRIu32 ".", de_ctx->gh_unique, de_ctx->gh_reuse);
3626
SCLogDebug("MPM instances: %" PRIu32 " unique, copies %" PRIu32 " (none %" PRIu32 ").",
2814
3627
de_ctx->mpm_unique, de_ctx->mpm_reuse, de_ctx->mpm_none);
2815
SCLogInfo("MPM (URI) instances: %" PRIu32 " unique, copies %" PRIu32 " (none %" PRIu32 ").",
3628
SCLogDebug("MPM (URI) instances: %" PRIu32 " unique, copies %" PRIu32 " (none %" PRIu32 ").",
2816
3629
de_ctx->mpm_uri_unique, de_ctx->mpm_uri_reuse, de_ctx->mpm_uri_none);
2817
SCLogInfo("MPM max patcnt %" PRIu32 ", avg %" PRIu32 "", de_ctx->mpm_max_patcnt, de_ctx->mpm_unique?de_ctx->mpm_tot_patcnt/de_ctx->mpm_unique:0);
3630
SCLogDebug("MPM max patcnt %" PRIu32 ", avg %" PRIu32 "", de_ctx->mpm_max_patcnt, de_ctx->mpm_unique?de_ctx->mpm_tot_patcnt/de_ctx->mpm_unique:0);
2818
3631
if (de_ctx->mpm_uri_tot_patcnt && de_ctx->mpm_uri_unique)
2819
SCLogInfo("MPM (URI) max patcnt %" PRIu32 ", avg %" PRIu32 " (%" PRIu32 "/%" PRIu32 ")", de_ctx->mpm_uri_max_patcnt, de_ctx->mpm_uri_tot_patcnt/de_ctx->mpm_uri_unique, de_ctx->mpm_uri_tot_patcnt, de_ctx->mpm_uri_unique);
2820
SCLogInfo("port maxgroups: %" PRIu32 ", avg %" PRIu32 ", tot %" PRIu32 "", g_groupportlist_maxgroups, g_groupportlist_groupscnt ? g_groupportlist_totgroups/g_groupportlist_groupscnt : 0, g_groupportlist_totgroups);
2821
SCLogInfo("building signature grouping structure, stage 3: building destination address lists... done");
3632
SCLogDebug("MPM (URI) max patcnt %" PRIu32 ", avg %" PRIu32 " (%" PRIu32 "/%" PRIu32 ")", de_ctx->mpm_uri_max_patcnt, de_ctx->mpm_uri_tot_patcnt/de_ctx->mpm_uri_unique, de_ctx->mpm_uri_tot_patcnt, de_ctx->mpm_uri_unique);
3633
SCLogDebug("port maxgroups: %" PRIu32 ", avg %" PRIu32 ", tot %" PRIu32 "", g_groupportlist_maxgroups, g_groupportlist_groupscnt ? g_groupportlist_totgroups/g_groupportlist_groupscnt : 0, g_groupportlist_totgroups);
3634
3635
SCLogInfo("building signature grouping structure, stage 3: building destination address lists... complete");
2822
3636
}
2823
3637
return 0;
2824
3638
error:
2830
3644
BUG_ON(de_ctx == NULL);
2831
3645
2832
3646
if (!(de_ctx->flags & DE_QUIET)) {
2833
SCLogInfo("cleaning up signature grouping structure...");
3647
SCLogDebug("cleaning up signature grouping structure...");
2834
3648
}
2835
3649
2836
3650
int f, proto;
2845
3659
IPOnlyDeinit(de_ctx, &de_ctx->io_ctx);
2846
3660
2847
3661
if (!(de_ctx->flags & DE_QUIET)) {
2848
SCLogInfo("cleaning up signature grouping structure... done");
3662
SCLogInfo("cleaning up signature grouping structure... complete");
2849
3663
}
2850
3664
return 0;
2851
3665
}
2944
3758
for (f = 0; f < FLOW_STATES; f++) {
2945
3759
printf("\n");
2946
3760
for (proto = 0; proto < 256; proto++) {
2947
if (proto != 6)
3761
if (proto != IPPROTO_TCP)
2948
3762
continue;
2949
3763
2950
3764
for (global_src_gr = de_ctx->flow_gh[f].src_gh[proto]->ipv4_head; global_src_gr != NULL;
3248
4062
* \retval 0 Always
3249
4063
*/
3250
4064
int SigGroupBuild (DetectEngineCtx *de_ctx) {
4065
/* if we are using single sgh_mpm_context then let us init the standard mpm
4066
* contexts using the mpm_ctx factory */
4067
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
4068
SigInitStandardMpmFactoryContexts(de_ctx);
4069
}
4070
3251
4071
if (SigAddressPrepareStage1(de_ctx) != 0) {
3252
4072
SCLogError(SC_ERR_DETECT_PREPARE, "initializing the detection engine failed");
3253
4073
exit(EXIT_FAILURE);
3265
4085
de_ctx->cuda_rc_mod_handle = SCCudaHlRegisterModule("SC_RULES_CONTENT_B2G_CUDA");
3266
4086
if (de_ctx->mpm_matcher == MPM_B2G_CUDA) {
3267
4087
CUcontext dummy_context;
3268
if (SCCudaHlGetCudaContext(&dummy_context,
4088
if (SCCudaHlGetCudaContext(&dummy_context, "mpm",
3269
4089
de_ctx->cuda_rc_mod_handle) == -1) {
3270
4090
SCLogError(SC_ERR_B2G_CUDA_ERROR, "Error getting a cuda context for the "
3271
4091
"module SC_RULES_CONTENT_B2G_CUDA");
3317
4137
}
3318
4138
#endif
3319
4139
4140
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
4141
MpmCtx *mpm_ctx = NULL;
4142
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_packet);
4143
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
4144
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
4145
}
4146
//printf("packet- %d\n", mpm_ctx->pattern_cnt);
4147
4148
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_uri);
4149
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
4150
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
4151
}
4152
//printf("uri- %d\n", mpm_ctx->pattern_cnt);
4153
4154
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcbd);
4155
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
4156
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
4157
}
4158
//printf("hcbd- %d\n", mpm_ctx->pattern_cnt);
4159
4160
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hhd);
4161
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
4162
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
4163
}
4164
//printf("hhd- %d\n", mpm_ctx->pattern_cnt);
4165
4166
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrhd);
4167
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
4168
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
4169
}
4170
//printf("hrhd- %d\n", mpm_ctx->pattern_cnt);
4171
4172
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hmd);
4173
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
4174
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
4175
}
4176
//printf("hmd- %d\n", mpm_ctx->pattern_cnt);
4177
4178
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hcd);
4179
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
4180
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
4181
}
4182
//printf("hcd- %d\n", mpm_ctx->pattern_cnt);
4183
4184
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_hrud);
4185
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
4186
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
4187
}
4188
//printf("hrud- %d\n", mpm_ctx->pattern_cnt);
4189
4190
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_stream);
4191
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
4192
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
4193
}
4194
//printf("stream- %d\n", mpm_ctx->pattern_cnt);
4195
}
4196
3320
4197
// SigAddressPrepareStage5(de_ctx);
3321
4198
// DetectAddressPrintMemory();
3322
4199
// DetectSigGroupPrintMemory();
3363
4240
DetectWithinRegister();
3364
4241
DetectDistanceRegister();
3365
4242
DetectOffsetRegister();
4243
DetectReplaceRegister();
3366
4244
DetectFlowRegister();
3367
4245
DetectWindowRegister();
3368
4246
DetectRpcRegister();
3375
4253
DetectPktvarRegister();
3376
4254
DetectNoalertRegister();
3377
4255
DetectFlowbitsRegister();
3378
DetectDecodeEventRegister();
4256
DetectEngineEventRegister();
3379
4257
DetectIpOptsRegister();
3380
4258
DetectFlagsRegister();
3381
4259
DetectFragBitsRegister();
3382
4260
DetectFragOffsetRegister();
3383
4261
DetectGidRegister();
4262
DetectMarkRegister();
3384
4263
DetectCsumRegister();
3385
4264
DetectStreamSizeRegister();
3386
4265
DetectTtlRegister();
3394
4273
DetectDceStubDataRegister();
3395
4274
DetectHttpCookieRegister();
3396
4275
DetectHttpMethodRegister();
4276
DetectHttpStatMsgRegister();
3397
4277
DetectTlsVersionRegister();
3398
4278
DetectUrilenRegister();
3399
4279
DetectDetectionFilterRegister();
3400
4280
DetectHttpHeaderRegister();
4281
DetectHttpRawHeaderRegister();
3401
4282
DetectHttpClientBodyRegister();
3402
4283
DetectHttpUriRegister();
4284
DetectHttpRawUriRegister();
3403
4285
DetectAsn1Register();
3404
4286
DetectSshVersionRegister();
4287
DetectSslStateRegister();
3405
4288
DetectSshSoftwareVersionRegister();
4289
DetectHttpStatCodeRegister();
4290
DetectSslVersionRegister();
4291
DetectByteExtractRegister();
3406
4292
3407
4293
uint8_t i = 0;
3408
4294
for (i = 0; i < DETECT_TBLSIZE; i++) {
3784
4670
p->flow = &f;
3785
4671
p->flowflags |= FLOW_PKT_TOSERVER;
3786
4672
p->flowflags |= FLOW_PKT_ESTABLISHED;
4673
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3787
4674
f.alproto = ALPROTO_HTTP;
3788
4675
3789
4676
StreamTcpInitConfig(TRUE);
3879
4766
p->flow = &f;
3880
4767
p->flowflags |= FLOW_PKT_TOSERVER;
3881
4768
p->flowflags |= FLOW_PKT_ESTABLISHED;
4769
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3882
4770
f.alproto = ALPROTO_HTTP;
3883
4771
3884
4772
StreamTcpInitConfig(TRUE);
3974
4862
p->flow = &f;
3975
4863
p->flowflags |= FLOW_PKT_TOSERVER;
3976
4864
p->flowflags |= FLOW_PKT_ESTABLISHED;
4865
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3977
4866
f.alproto = ALPROTO_HTTP;
3978
4867
3979
4868
StreamTcpInitConfig(TRUE);
4069
4958
p->flow = &f;
4070
4959
p->flowflags |= FLOW_PKT_TOSERVER;
4071
4960
p->flowflags |= FLOW_PKT_ESTABLISHED;
4961
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4072
4962
f.alproto = ALPROTO_HTTP;
4073
4963
4074
4964
StreamTcpInitConfig(TRUE);
4156
5046
p->flow = &f;
4157
5047
p->flowflags |= FLOW_PKT_TOSERVER;
4158
5048
p->flowflags |= FLOW_PKT_ESTABLISHED;
5049
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4159
5050
f.alproto = ALPROTO_HTTP;
4160
5051
4161
5052
StreamTcpInitConfig(TRUE);
4242
5133
f.dst.family = AF_INET;
4243
5134
p->flow = &f;
4244
5135
p->flowflags |= FLOW_PKT_TOSERVER;
5136
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4245
5137
f.alproto = ALPROTO_HTTP;
4246
5138
4247
5139
StreamTcpInitConfig(TRUE);
4310
5202
4311
5203
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
4312
5204
p->flow = &f;
5205
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4313
5206
4314
5207
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4315
5208
if (de_ctx == NULL) {
4374
5267
4375
5268
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
4376
5269
p->flow = &f;
5270
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4377
5271
4378
5272
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4379
5273
if (de_ctx == NULL) {
4477
5371
uint8_t *buf = (uint8_t *)
4478
5372
"CONNECT 213.92.8.7:31204 HTTP/1.1";
4479
5373
uint16_t buflen = strlen((char *)buf);
4480
Packet p;
5374
Packet *p = SCMalloc(SIZE_OF_PACKET);
5375
if (p == NULL)
5376
return 0;
4481
5377
ThreadVars th_v;
4482
5378
DetectEngineThreadCtx *det_ctx;
4483
5379
int result = 0;
4484
5380
4485
5381
memset(&th_v, 0, sizeof(th_v));
4486
memset(&p, 0, sizeof(p));
4487
p.src.family = AF_INET;
4488
p.dst.family = AF_INET;
4489
p.payload = buf;
4490
p.payload_len = buflen;
4491
p.proto = IPPROTO_TCP;
4492
p.dp = 80;
5382
memset(p, 0, SIZE_OF_PACKET);
5383
p->pkt = (uint8_t *)(p + 1);
5384
p->src.family = AF_INET;
5385
p->dst.family = AF_INET;
5386
p->payload = buf;
5387
p->payload_len = buflen;
5388
p->proto = IPPROTO_TCP;
5389
p->dp = 80;
4493
5390
4494
5391
ConfCreateContextBackup();
4495
5392
ConfInit();
4513
5410
SigGroupBuild(de_ctx);
4514
5411
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
4515
5412
4516
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
4517
if (PacketAlertCheck(&p, 2008284))
5413
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5414
if (PacketAlertCheck(p, 2008284))
4518
5415
result = 0;
4519
5416
else
4520
5417
result = 1;
4526
5423
end:
4527
5424
ConfDeInit();
4528
5425
ConfRestoreContextBackup();
5426
SCFree(p);
4529
5427
return result;
4530
5428
}
4531
5429
static int SigTest15B2g (void) {
4681
5579
uint8_t *buf = (uint8_t *)
4682
5580
"220 (vsFTPd 2.0.5)\r\n";
4683
5581
uint16_t buflen = strlen((char *)buf);
4684
Packet p;
5582
Packet *p = SCMalloc(SIZE_OF_PACKET);
5583
if (p == NULL)
5584
return 0;
4685
5585
ThreadVars th_v;
4686
5586
DetectEngineThreadCtx *det_ctx;
4687
5587
int result = 0;
4688
5588
4689
5589
memset(&th_v, 0, sizeof(th_v));
4690
memset(&p, 0, sizeof(p));
4691
p.src.family = AF_INET;
4692
p.dst.family = AF_INET;
4693
p.payload = buf;
4694
p.payload_len = buflen;
4695
p.proto = IPPROTO_TCP;
4696
p.dp = 34260;
4697
p.sp = 21;
5590
memset(p, 0, SIZE_OF_PACKET);
5591
p->pkt = (uint8_t *)(p + 1);
5592
p->src.family = AF_INET;
5593
p->dst.family = AF_INET;
5594
p->payload = buf;
5595
p->payload_len = buflen;
5596
p->proto = IPPROTO_TCP;
5597
p->dp = 34260;
5598
p->sp = 21;
4698
5599
4699
5600
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4700
5601
if (de_ctx == NULL) {
4714
5615
SigGroupBuild(de_ctx);
4715
5616
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
4716
5617
4717
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
4718
if (!PacketAlertCheck(&p, 2003055))
5618
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5619
if (!PacketAlertCheck(p, 2003055))
4719
5620
result = 1;
4720
5621
else
4721
5622
printf("signature shouldn't match, but did: ");
4725
5626
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4726
5627
DetectEngineCtxFree(de_ctx);
4727
5628
end:
5629
SCFree(p);
4728
5630
return result;
4729
5631
}
4730
5632
static int SigTest18B2g (void) {
4741
5643
uint8_t *buf = (uint8_t *)
4742
5644
"220 (vsFTPd 2.0.5)\r\n";
4743
5645
uint16_t buflen = strlen((char *)buf);
4744
Packet p;
5646
Packet *p = SCMalloc(SIZE_OF_PACKET);
5647
if (p == NULL)
5648
return 0;
4745
5649
ThreadVars th_v;
4746
5650
DetectEngineThreadCtx *det_ctx;
4747
5651
int result = 0;
4748
5652
4749
5653
memset(&th_v, 0, sizeof(th_v));
4750
memset(&p, 0, sizeof(p));
4751
p.src.family = AF_INET;
4752
p.src.addr_data32[0] = 0x0102080a;
4753
p.dst.addr_data32[0] = 0x04030201;
4754
p.dst.family = AF_INET;
4755
p.payload = buf;
4756
p.payload_len = buflen;
4757
p.proto = IPPROTO_TCP;
4758
p.dp = 34260;
4759
p.sp = 21;
4760
p.flowflags |= FLOW_PKT_TOSERVER;
5654
memset(p, 0, SIZE_OF_PACKET);
5655
p->pkt = (uint8_t *)(p + 1);
5656
p->src.family = AF_INET;
5657
p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
5658
p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
5659
p->dst.family = AF_INET;
5660
p->payload = buf;
5661
p->payload_len = buflen;
5662
p->proto = IPPROTO_TCP;
5663
p->dp = 34260;
5664
p->sp = 21;
5665
p->flowflags |= FLOW_PKT_TOSERVER;
4761
5666
4762
5667
ConfCreateContextBackup();
4763
5668
ConfInit();
4780
5685
SigGroupBuild(de_ctx);
4781
5686
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
4782
5687
4783
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
4784
if (PacketAlertCheck(&p, 999))
5688
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5689
if (PacketAlertCheck(p, 999))
4785
5690
result = 1;
4786
5691
else
4787
5692
printf("signature didn't match, but should have: ");
4792
5697
end:
4793
5698
ConfDeInit();
4794
5699
ConfRestoreContextBackup();
5700
SCFree(p);
4795
5701
return result;
4796
5702
}
4797
5703
static int SigTest19B2g (void) {
4808
5714
uint8_t *buf = (uint8_t *)
4809
5715
"220 (vsFTPd 2.0.5)\r\n";
4810
5716
uint16_t buflen = strlen((char *)buf);
4811
Packet p;
5717
Packet *p = SCMalloc(SIZE_OF_PACKET);
5718
if (p == NULL)
5719
return 0;
4812
5720
ThreadVars th_v;
4813
5721
DetectEngineThreadCtx *det_ctx;
4814
5722
int result = 0;
4815
5723
4816
5724
memset(&th_v, 0, sizeof(th_v));
4817
memset(&p, 0, sizeof(p));
4818
p.src.family = AF_INET;
4819
p.src.addr_data32[0] = 0x0102080a;
4820
p.dst.addr_data32[0] = 0x04030201;
4821
p.dst.family = AF_INET;
4822
p.payload = buf;
4823
p.payload_len = buflen;
4824
p.proto = IPPROTO_TCP;
4825
p.dp = 34260;
4826
p.sp = 21;
4827
p.flowflags |= FLOW_PKT_TOSERVER;
5725
memset(p, 0, SIZE_OF_PACKET);
5726
p->pkt = (uint8_t *)(p + 1);
5727
p->src.family = AF_INET;
5728
p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
5729
p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
5730
p->dst.family = AF_INET;
5731
p->payload = buf;
5732
p->payload_len = buflen;
5733
p->proto = IPPROTO_TCP;
5734
p->dp = 34260;
5735
p->sp = 21;
5736
p->flowflags |= FLOW_PKT_TOSERVER;
4828
5737
4829
5738
ConfCreateContextBackup();
4830
5739
ConfInit();
4849
5758
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
4850
5759
//DetectEngineIPOnlyThreadInit(de_ctx,&det_ctx->io_ctx);
4851
5760
4852
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
4853
if (PacketAlertCheck(&p, 999))
5761
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
5762
if (PacketAlertCheck(p, 999))
4854
5763
result = 1;
4855
5764
else
4856
5765
printf("signature didn't match, but should have: ");
4863
5772
end:
4864
5773
ConfDeInit();
4865
5774
ConfRestoreContextBackup();
5775
SCFree(p);
4866
5776
return result;
4867
5777
}
4868
5778
static int SigTest20B2g (void) {
4899
5809
4900
5810
p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
4901
5811
p1->flow = &f;
5812
p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4902
5813
p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
4903
5814
p2->flow = &f;
5815
p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4904
5816
4905
5817
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4906
5818
if (de_ctx == NULL) {
4930
5842
goto end;
4931
5843
}
4932
5844
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4933
if (PacketAlertCheck(p2, 2))
4934
result = 1;
5845
if (!(PacketAlertCheck(p2, 2))) {
5846
printf("sid 2 didn't alert, but should have: ");
5847
goto end;
5848
}
4935
5849
4936
5850
result = 1;
4937
5851
end:
4944
5858
}
4945
5859
}
4946
5860
DetectEngineCtxFree(de_ctx);
4947
4948
5861
UTHFreePackets(&p1, 1);
4949
5862
UTHFreePackets(&p2, 1);
4950
5863
FLOW_DESTROY(&f);
4979
5892
4980
5893
p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
4981
5894
p1->flow = &f;
5895
p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4982
5896
4983
5897
/* packet 2 */
4984
5898
uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
4988
5902
4989
5903
p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
4990
5904
p2->flow = &f;
5905
p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4991
5906
4992
5907
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4993
5908
if (de_ctx == NULL) {
5063
5978
5064
5979
p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
5065
5980
p1->flow = &f;
5981
p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5066
5982
5067
5983
/* packet 2 */
5068
5984
uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
5072
5988
5073
5989
p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
5074
5990
p2->flow = &f;
5991
p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
5075
5992
5076
5993
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5077
5994
if (de_ctx == NULL) {
5139
6056
0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
5140
6057
0xc0, 0xa8, 0x01, 0x06};
5141
6058
5142
Packet p1, p2;
6059
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
6060
if (p1 == NULL)
6061
return 0;
6062
Packet *p2 = SCMalloc(SIZE_OF_PACKET);
6063
if (p2 == NULL)
6064
return 0;
5143
6065
ThreadVars th_v;
5144
6066
DetectEngineThreadCtx *det_ctx = NULL;
5145
6067
int result = 0;
5149
6071
uint16_t buflen = strlen((char *)buf);
5150
6072
5151
6073
memset(&th_v, 0, sizeof(ThreadVars));
5152
memset(&p1, 0, sizeof(Packet));
5153
memset(&p2, 0, sizeof(Packet));
5154
p1.ip4vars.comp_csum = -1;
5155
p2.ip4vars.comp_csum = -1;
5156
5157
p1.ip4h = (IPV4Hdr *)valid_raw_ipv4;
5158
5159
p1.src.family = AF_INET;
5160
p1.dst.family = AF_INET;
5161
p1.payload = buf;
5162
p1.payload_len = buflen;
5163
p1.proto = IPPROTO_TCP;
5164
5165
p2.ip4h = (IPV4Hdr *)invalid_raw_ipv4;
5166
5167
p2.src.family = AF_INET;
5168
p2.dst.family = AF_INET;
5169
p2.payload = buf;
5170
p2.payload_len = buflen;
5171
p2.proto = IPPROTO_TCP;
6074
memset(p1, 0, SIZE_OF_PACKET);
6075
p1->pkt = (uint8_t *)(p1 + 1);
6076
memset(p2, 0, SIZE_OF_PACKET);
6077
p2->pkt = (uint8_t *)(p2 + 1);
6078
p1->ip4vars.comp_csum = -1;
6079
p2->ip4vars.comp_csum = -1;
6080
6081
p1->ip4h = (IPV4Hdr *)valid_raw_ipv4;
6082
6083
p1->src.family = AF_INET;
6084
p1->dst.family = AF_INET;
6085
p1->payload = buf;
6086
p1->payload_len = buflen;
6087
p1->proto = IPPROTO_TCP;
6088
6089
p2->ip4h = (IPV4Hdr *)invalid_raw_ipv4;
6090
6091
p2->src.family = AF_INET;
6092
p2->dst.family = AF_INET;
6093
p2->payload = buf;
6094
p2->payload_len = buflen;
6095
p2->proto = IPPROTO_TCP;
5172
6096
5173
6097
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5174
6098
if (de_ctx == NULL) {
5199
6123
SigGroupBuild(de_ctx);
5200
6124
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
5201
6125
5202
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1);
5203
if (!(PacketAlertCheck(&p1, 1))) {
6126
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
6127
if (!(PacketAlertCheck(p1, 1))) {
5204
6128
printf("signature 1 didn't match, but should have: ");
5205
6129
goto end;
5206
6130
}
5207
6131
5208
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2);
5209
if (!((PacketAlertCheck(&p2, 2)))) {
6132
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
6133
if (!((PacketAlertCheck(p2, 2)))) {
5210
6134
printf("signature 2 didn't match, but should have: ");
5211
6135
goto end;
5212
6136
}
5219
6143
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
5220
6144
DetectEngineCtxFree(de_ctx);
5221
6145
}
6146
SCFree(p1);
6147
SCFree(p2);
5222
6148
return result;
5223
6149
}
5224
6150
5234
6160
0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
5235
6161
0xc0, 0xa8, 0x01, 0x06};
5236
6162
5237
Packet p1, p2;
6163
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
6164
if (p1 == NULL)
6165
return 0;
6166
Packet *p2 = SCMalloc(SIZE_OF_PACKET);
6167
if (p2 == NULL)
6168
return 0;
5238
6169
ThreadVars th_v;
5239
6170
DetectEngineThreadCtx *det_ctx;
5240
6171
int result = 1;
5244
6175
uint16_t buflen = strlen((char *)buf);
5245
6176
5246
6177
memset(&th_v, 0, sizeof(ThreadVars));
5247
memset(&p1, 0, sizeof(Packet));
5248
memset(&p2, 0, sizeof(Packet));
5249
p1.ip4vars.comp_csum = -1;
5250
p2.ip4vars.comp_csum = -1;
5251
5252
p1.ip4h = (IPV4Hdr *)valid_raw_ipv4;
5253
5254
p1.src.family = AF_INET;
5255
p1.dst.family = AF_INET;
5256
p1.payload = buf;
5257
p1.payload_len = buflen;
5258
p1.proto = IPPROTO_TCP;
5259
5260
p2.ip4h = (IPV4Hdr *)invalid_raw_ipv4;
5261
5262
p2.src.family = AF_INET;
5263
p2.dst.family = AF_INET;
5264
p2.payload = buf;
5265
p2.payload_len = buflen;
5266
p2.proto = IPPROTO_TCP;
6178
memset(p1, 0, SIZE_OF_PACKET);
6179
p1->pkt = (uint8_t *)(p1 + 1);
6180
memset(p2, 0, SIZE_OF_PACKET);
6181
p2->pkt = (uint8_t *)(p2 + 1);
6182
p1->ip4vars.comp_csum = -1;
6183
p2->ip4vars.comp_csum = -1;
6184
6185
p1->ip4h = (IPV4Hdr *)valid_raw_ipv4;
6186
6187
p1->src.family = AF_INET;
6188
p1->dst.family = AF_INET;
6189
p1->payload = buf;
6190
p1->payload_len = buflen;
6191
p1->proto = IPPROTO_TCP;
6192
6193
p2->ip4h = (IPV4Hdr *)invalid_raw_ipv4;
6194
6195
p2->src.family = AF_INET;
6196
p2->dst.family = AF_INET;
6197
p2->payload = buf;
6198
p2->payload_len = buflen;
6199
p2->proto = IPPROTO_TCP;
5267
6200
5268
6201
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5269
6202
if (de_ctx == NULL) {
5294
6227
SigGroupBuild(de_ctx);
5295
6228
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
5296
6229
5297
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1);
5298
if (PacketAlertCheck(&p1, 1))
6230
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
6231
if (PacketAlertCheck(p1, 1))
5299
6232
result &= 0;
5300
6233
else
5301
6234
result &= 1;
5302
6235
5303
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2);
5304
if (PacketAlertCheck(&p2, 2))
6236
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
6237
if (PacketAlertCheck(p2, 2))
5305
6238
result &= 0;
5306
6239
else
5307
6240
result &= 1;
5311
6244
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
5312
6245
DetectEngineCtxFree(de_ctx);
5313
6246
end:
6247
SCFree(p1);
6248
SCFree(p2);
5314
6249
return result;
5315
6250
}
5316
6251
5323
6258
5324
6259
uint8_t valid_raw_tcp[] = {
5325
6260
0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
5326
0xcf, 0x0d, 0x21, 0x80, 0xa0, 0x12, 0x16, 0xa0,
5327
0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
6261
0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
6262
0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
5328
6263
0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
5329
6264
0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
5330
6265
5331
6266
uint8_t invalid_raw_tcp[] = {
5332
6267
0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
5333
0xcf, 0x0d, 0x21, 0x80, 0xa0, 0x12, 0x16, 0xa0,
6268
0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
5334
6269
0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
5335
6270
0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
5336
6271
0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
5337
6272
5338
5339
Packet p1, p2;
6273
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
6274
if (p1 == NULL)
6275
return 0;
6276
6277
Packet *p2 = SCMalloc(SIZE_OF_PACKET);
6278
if (p2 == NULL)
6279
return 0;
6280
5340
6281
ThreadVars th_v;
5341
6282
DetectEngineThreadCtx *det_ctx;
5342
int result = 1;
5343
5344
uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
5345
"\r\n\r\n";
5346
uint16_t buflen = strlen((char *)buf);
6283
int result = 0;
5347
6284
5348
6285
memset(&th_v, 0, sizeof(ThreadVars));
5349
memset(&p1, 0, sizeof(Packet));
5350
memset(&p2, 0, sizeof(Packet));
5351
5352
p1.tcpvars.comp_csum = -1;
5353
p1.ip4h = (IPV4Hdr *)raw_ipv4;
5354
p1.tcph = (TCPHdr *)valid_raw_tcp;
5355
p1.tcpvars.hlen = 0;
5356
p1.src.family = AF_INET;
5357
p1.dst.family = AF_INET;
5358
p1.payload = buf;
5359
p1.payload_len = buflen;
5360
p1.proto = IPPROTO_TCP;
5361
5362
p2.tcpvars.comp_csum = -1;
5363
p2.ip4h = (IPV4Hdr *)raw_ipv4;
5364
p2.tcph = (TCPHdr *)invalid_raw_tcp;
5365
p2.tcpvars.hlen = 0;
5366
p2.src.family = AF_INET;
5367
p2.dst.family = AF_INET;
5368
p2.payload = buf;
5369
p2.payload_len = buflen;
5370
p2.proto = IPPROTO_TCP;
6286
memset(p1, 0, SIZE_OF_PACKET);
6287
p1->pkt = (uint8_t *)(p1 + 1);
6288
memset(p2, 0, SIZE_OF_PACKET);
6289
p2->pkt = (uint8_t *)(p2 + 1);
6290
6291
PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
6292
PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
6293
6294
PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
6295
PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
6296
6297
p1->tcpvars.comp_csum = -1;
6298
p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
6299
p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
6300
p1->src.family = AF_INET;
6301
p1->dst.family = AF_INET;
6302
p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
6303
p1->payload_len = 20;
6304
p1->proto = IPPROTO_TCP;
6305
6306
p2->tcpvars.comp_csum = -1;
6307
p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
6308
p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
6309
p2->src.family = AF_INET;
6310
p2->dst.family = AF_INET;
6311
p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
6312
p2->payload_len = 20;
6313
p2->proto = IPPROTO_TCP;
5371
6314
5372
6315
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5373
6316
if (de_ctx == NULL) {
5378
6321
5379
6322
de_ctx->sig_list = SigInit(de_ctx,
5380
6323
"alert ip any any -> any any "
5381
"(content:\"/one/\"; tcpv4-csum:valid; "
6324
"(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
5382
6325
"msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
5383
6326
if (de_ctx->sig_list == NULL) {
5384
result &= 0;
5385
6327
goto end;
5386
6328
}
5387
6329
5388
6330
de_ctx->sig_list->next = SigInit(de_ctx,
5389
6331
"alert ip any any -> any any "
5390
"(content:\"/one/\"; tcpv4-csum:invalid; "
6332
"(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
5391
6333
"msg:\"tcpv4-csum keyword check(1)\"; "
5392
6334
"sid:2;)");
5393
6335
if (de_ctx->sig_list->next == NULL) {
5394
result &= 0;
5395
6336
goto end;
5396
6337
}
5397
6338
5398
6339
SigGroupBuild(de_ctx);
5399
6340
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
5400
6341
5401
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1);
5402
if (PacketAlertCheck(&p1, 1))
5403
result &= 1;
5404
else
5405
result &= 0;
5406
5407
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2);
5408
if (PacketAlertCheck(&p2, 2))
5409
result &= 1;
5410
else
5411
result &= 0;
5412
6342
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
6343
if (!(PacketAlertCheck(p1, 1))) {
6344
printf("sig 1 didn't match: ");
6345
goto end;
6346
}
6347
6348
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
6349
if (!(PacketAlertCheck(p2, 2))) {
6350
printf("sig 2 didn't match: ");
6351
goto end;
6352
}
6353
6354
result = 1;
6355
end:
5413
6356
SigGroupCleanup(de_ctx);
5414
6357
SigCleanSignatures(de_ctx);
5415
6358
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
5416
6359
DetectEngineCtxFree(de_ctx);
5417
end:
6360
SCFree(p1);
6361
SCFree(p2);
5418
6362
return result;
5419
6363
}
5420
6364
5427
6371
5428
6372
uint8_t valid_raw_tcp[] = {
5429
6373
0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
5430
0xcf, 0x0d, 0x21, 0x80, 0xa0, 0x12, 0x16, 0xa0,
6374
0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
5431
6375
0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
5432
6376
0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
5433
6377
0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
5434
6378
5435
6379
uint8_t invalid_raw_tcp[] = {
5436
6380
0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
5437
0xcf, 0x0d, 0x21, 0x80, 0xa0, 0x12, 0x16, 0xa0,
6381
0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
5438
6382
0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
5439
6383
0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
5440
6384
0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
5441
6385
5442
6386
5443
Packet p1, p2;
6387
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
6388
if (p1 == NULL)
6389
return 0;
6390
Packet *p2 = SCMalloc(SIZE_OF_PACKET);
6391
if (p2 == NULL)
6392
return 0;
5444
6393
ThreadVars th_v;
5445
6394
DetectEngineThreadCtx *det_ctx;
5446
int result = 1;
5447
5448
uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
5449
"\r\n\r\n";
5450
uint16_t buflen = strlen((char *)buf);
6395
int result = 0;
5451
6396
5452
6397
memset(&th_v, 0, sizeof(ThreadVars));
5453
memset(&p1, 0, sizeof(Packet));
5454
memset(&p2, 0, sizeof(Packet));
5455
5456
p1.tcpvars.comp_csum = -1;
5457
p1.ip4h = (IPV4Hdr *)raw_ipv4;
5458
p1.tcph = (TCPHdr *)valid_raw_tcp;
5459
//p1.tcpvars.hlen = TCP_GET_HLEN((&p));
5460
p1.tcpvars.hlen = 0;
5461
p1.src.family = AF_INET;
5462
p1.dst.family = AF_INET;
5463
p1.payload = buf;
5464
p1.payload_len = buflen;
5465
p1.proto = IPPROTO_TCP;
5466
5467
p2.tcpvars.comp_csum = -1;
5468
p2.ip4h = (IPV4Hdr *)raw_ipv4;
5469
p2.tcph = (TCPHdr *)invalid_raw_tcp;
5470
//p2.tcpvars.hlen = TCP_GET_HLEN((&p));
5471
p2.tcpvars.hlen = 0;
5472
p2.src.family = AF_INET;
5473
p2.dst.family = AF_INET;
5474
p2.payload = buf;
5475
p2.payload_len = buflen;
5476
p2.proto = IPPROTO_TCP;
6398
memset(p1, 0, SIZE_OF_PACKET);
6399
p1->pkt = (uint8_t *)(p1 + 1);
6400
memset(p2, 0, SIZE_OF_PACKET);
6401
p2->pkt = (uint8_t *)(p2 + 1);
6402
6403
PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
6404
PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
6405
6406
PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
6407
PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
6408
6409
p1->tcpvars.comp_csum = -1;
6410
p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
6411
p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
6412
p1->src.family = AF_INET;
6413
p1->dst.family = AF_INET;
6414
p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
6415
p1->payload_len = 20;
6416
p1->proto = IPPROTO_TCP;
6417
6418
p2->tcpvars.comp_csum = -1;
6419
p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
6420
p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
6421
p2->src.family = AF_INET;
6422
p2->dst.family = AF_INET;
6423
p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
6424
p2->payload_len = 20;
6425
p2->proto = IPPROTO_TCP;
5477
6426
5478
6427
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5479
6428
if (de_ctx == NULL) {
5484
6433
5485
6434
de_ctx->sig_list = SigInit(de_ctx,
5486
6435
"alert tcp any any -> any any "
5487
"(content:\"/one/\"; tcpv4-csum:invalid; "
6436
"(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; "
5488
6437
"msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
5489
6438
if (de_ctx->sig_list == NULL) {
5490
result &= 0;
5491
6439
goto end;
5492
6440
}
5493
6441
5494
6442
de_ctx->sig_list->next = SigInit(de_ctx,
5495
6443
"alert tcp any any -> any any "
5496
"(content:\"/one/\"; tcpv4-csum:valid; "
6444
"(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
5497
6445
"msg:\"tcpv4-csum keyword check(1)\"; "
5498
6446
"sid:2;)");
5499
6447
if (de_ctx->sig_list->next == NULL) {
5500
result &= 0;
5501
6448
goto end;
5502
6449
}
5503
6450
5504
6451
SigGroupBuild(de_ctx);
5505
//PatternMatchPrepare(mpm_ctx, MPM_B2G);
5506
6452
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
5507
6453
5508
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1);
5509
if (PacketAlertCheck(&p1, 1))
5510
result &= 0;
5511
else
5512
result &= 1;
5513
5514
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2);
5515
if (PacketAlertCheck(&p2, 2)) {
5516
result &= 0;
5517
}
5518
else
5519
result &= 1;
5520
6454
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
6455
if (PacketAlertCheck(p1, 1)) {
6456
goto end;
6457
}
6458
6459
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
6460
if (PacketAlertCheck(p2, 2)) {
6461
goto end;
6462
}
6463
6464
result = 1;
6465
end:
5521
6466
SigGroupCleanup(de_ctx);
5522
6467
SigCleanSignatures(de_ctx);
5523
6468
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
5524
//PatternMatchDestroy(mpm_ctx);
5525
6469
DetectEngineCtxFree(de_ctx);
5526
end:
6470
SCFree(p1);
6471
SCFree(p2);
5527
6472
return result;
5528
6473
}
5529
6474
5531
6476
{
5532
6477
static uint8_t valid_raw_ipv6[] = {
5533
6478
0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
5534
0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
5535
0x00, 0x00, 0x00, 0x20, 0x06, 0x40, 0x3f, 0xfe,
5536
0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
5537
0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
5538
0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
5539
0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0x03, 0xfe,
5540
0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d, 0x0c, 0x7a,
5541
0x08, 0x77, 0x80, 0x10, 0x21, 0x5c, 0xc2, 0xf1,
5542
0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08,
5543
0xca, 0x5a, 0x00, 0x01, 0x69, 0x27};
6479
0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
6480
6481
0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
6482
0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
6483
0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
6484
0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
6485
0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
6486
6487
0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
6488
0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
6489
0xf2, 0xf1, 0x00, 0x00,
6490
6491
0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
6492
0x00, 0x01, 0x69, 0x27};
5544
6493
5545
6494
static uint8_t invalid_raw_ipv6[] = {
5546
6495
0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
5547
0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
5548
0x00, 0x00, 0x00, 0x20, 0x06, 0x40, 0x3f, 0xfe,
5549
0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
5550
0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
5551
0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
5552
0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0x03, 0xfe,
5553
0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d, 0x0c, 0x7a,
5554
0x08, 0x77, 0x80, 0x10, 0x21, 0x5c, 0xc2, 0xf1,
5555
0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08,
5556
0xca, 0x5a, 0x00, 0x01, 0x69, 0x28};
5557
5558
Packet p1, p2;
6496
0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
6497
6498
0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
6499
0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
6500
0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
6501
0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
6502
0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
6503
6504
0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
6505
0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
6506
0xc2, 0xf1, 0x00, 0x00,
6507
6508
0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
6509
0x00, 0x01, 0x69, 0x28};
6510
6511
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
6512
if (p1 == NULL)
6513
return 0;
6514
Packet *p2 = SCMalloc(SIZE_OF_PACKET);
6515
if (p2 == NULL)
6516
return 0;
5559
6517
ThreadVars th_v;
5560
6518
DetectEngineThreadCtx *det_ctx;
5561
int result = 1;
5562
5563
uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0tttttttt\r\n"
5564
"\r\n\r\n";
6519
int result = 0;
5565
6520
5566
6521
memset(&th_v, 0, sizeof(ThreadVars));
5567
memset(&p1, 0, sizeof(Packet));
5568
memset(&p2, 0, sizeof(Packet));
5569
5570
p1.tcpvars.comp_csum = -1;
5571
p1.ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
5572
p1.tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
5573
p1.src.family = AF_INET;
5574
p1.dst.family = AF_INET;
5575
p1.tcpvars.hlen = TCP_GET_HLEN((&p1));
5576
p1.payload = buf;
5577
p1.payload_len = p1.tcpvars.hlen;
5578
p1.tcpvars.hlen = 0;
5579
p1.proto = IPPROTO_TCP;
5580
5581
p2.tcpvars.comp_csum = -1;
5582
p2.ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
5583
p2.tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
5584
p2.src.family = AF_INET;
5585
p2.dst.family = AF_INET;
5586
p2.tcpvars.hlen = TCP_GET_HLEN((&p2));
5587
p2.payload = buf;
5588
p2.payload_len = p2.tcpvars.hlen;
5589
p2.tcpvars.hlen = 0;
5590
p2.proto = IPPROTO_TCP;
6522
memset(p1, 0, SIZE_OF_PACKET);
6523
p1->pkt = (uint8_t *)(p1 + 1);
6524
memset(p2, 0, SIZE_OF_PACKET);
6525
p2->pkt = (uint8_t *)(p2 + 1);
6526
6527
p1->tcpvars.comp_csum = -1;
6528
p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
6529
p1->tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
6530
p1->src.family = AF_INET;
6531
p1->dst.family = AF_INET;
6532
p1->payload = valid_raw_ipv6 + 54 + 20;
6533
p1->payload_len = 12;
6534
p1->proto = IPPROTO_TCP;
6535
6536
if (TCP_GET_HLEN(p1) != 20) {
6537
BUG_ON(1);
6538
}
6539
6540
p2->tcpvars.comp_csum = -1;
6541
p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
6542
p2->tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
6543
p2->src.family = AF_INET;
6544
p2->dst.family = AF_INET;
6545
p2->payload = invalid_raw_ipv6 + 54 + 20;;
6546
p2->payload_len = 12;
6547
p2->proto = IPPROTO_TCP;
6548
6549
if (TCP_GET_HLEN(p2) != 20) {
6550
BUG_ON(1);
6551
}
5591
6552
5592
6553
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5593
6554
if (de_ctx == NULL) {
5598
6559
5599
6560
de_ctx->sig_list = SigInit(de_ctx,
5600
6561
"alert tcp any any -> any any "
5601
"(content:\"/one/\"; tcpv6-csum:valid; "
6562
"(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
5602
6563
"msg:\"tcpv6-csum keyword check(1)\"; sid:1;)");
5603
6564
if (de_ctx->sig_list == NULL) {
5604
result &= 0;
5605
6565
goto end;
5606
6566
}
5607
6567
5608
6568
de_ctx->sig_list->next = SigInit(de_ctx,
5609
6569
"alert tcp any any -> any any "
5610
"(content:\"/one/\"; tcpv6-csum:invalid; "
6570
"(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
5611
6571
"msg:\"tcpv6-csum keyword check(1)\"; "
5612
6572
"sid:2;)");
5613
6573
if (de_ctx->sig_list->next == NULL) {
5614
result &= 0;
5615
6574
goto end;
5616
6575
}
5617
6576
5618
6577
SigGroupBuild(de_ctx);
5619
//PatternMatchPrepare(mpm_ctx, MPM_B2G);
5620
6578
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
5621
6579
5622
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1);
5623
if (PacketAlertCheck(&p1, 1))
5624
result &= 1;
5625
else
5626
result &= 0;
5627
5628
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2);
5629
if (PacketAlertCheck(&p2, 2))
5630
result &= 1;
5631
else
5632
result &= 0;
5633
6580
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
6581
if (!(PacketAlertCheck(p1, 1)))
6582
goto end;
6583
6584
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
6585
if (!(PacketAlertCheck(p2, 2)))
6586
goto end;
6587
6588
result = 1;
6589
end:
5634
6590
SigGroupCleanup(de_ctx);
5635
6591
SigCleanSignatures(de_ctx);
5636
6592
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
5637
//PatternMatchDestroy(mpm_ctx);
5638
6593
DetectEngineCtxFree(de_ctx);
5639
end:
6594
SCFree(p1);
6595
SCFree(p2);
5640
6596
return result;
5641
6597
}
5642
6598
5644
6600
{
5645
6601
static uint8_t valid_raw_ipv6[] = {
5646
6602
0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
5647
0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
5648
0x00, 0x00, 0x00, 0x20, 0x06, 0x40, 0x3f, 0xfe,
5649
0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
5650
0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
5651
0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
5652
0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0x03, 0xfe,
5653
0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d, 0x0c, 0x7a,
5654
0x08, 0x77, 0x80, 0x10, 0x21, 0x5c, 0xc2, 0xf1,
5655
0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08,
5656
0xca, 0x5a, 0x00, 0x01, 0x69, 0x27};
6603
0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
6604
6605
0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
6606
0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
6607
0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
6608
0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
6609
0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
6610
6611
0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
6612
0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
6613
0xf2, 0xf1, 0x00, 0x00,
6614
6615
0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
6616
0x00, 0x01, 0x69, 0x27};
5657
6617
5658
6618
static uint8_t invalid_raw_ipv6[] = {
5659
6619
0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
5660
0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
5661
0x00, 0x00, 0x00, 0x20, 0x06, 0x40, 0x3f, 0xfe,
5662
0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
5663
0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
5664
0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
5665
0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0x03, 0xfe,
5666
0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d, 0x0c, 0x7a,
5667
0x08, 0x77, 0x80, 0x10, 0x21, 0x5c, 0xc2, 0xf1,
5668
0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08,
5669
0xca, 0x5a, 0x00, 0x01, 0x69, 0x28};
5670
5671
Packet p1, p2;
6620
0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
6621
6622
0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
6623
0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
6624
0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
6625
0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
6626
0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
6627
6628
0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
6629
0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
6630
0xc2, 0xf1, 0x00, 0x00,
6631
6632
0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
6633
0x00, 0x01, 0x69, 0x28};
6634
6635
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
6636
if (p1 == NULL)
6637
return 0;
6638
Packet *p2 = SCMalloc(SIZE_OF_PACKET);
6639
if (p2 == NULL)
6640
return 0;
5672
6641
ThreadVars th_v;
5673
6642
DetectEngineThreadCtx *det_ctx;
5674
int result = 1;
5675
5676
uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0tttttttt\r\n"
5677
"\r\n\r\n";
6643
int result = 0;
5678
6644
5679
6645
memset(&th_v, 0, sizeof(ThreadVars));
5680
memset(&p1, 0, sizeof(Packet));
5681
memset(&p2, 0, sizeof(Packet));
5682
5683
p1.tcpvars.comp_csum = -1;
5684
p1.ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
5685
p1.tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
5686
p1.src.family = AF_INET;
5687
p1.dst.family = AF_INET;
5688
p1.tcpvars.hlen = TCP_GET_HLEN((&p1));
5689
p1.payload = buf;
5690
p1.payload_len = p1.tcpvars.hlen;
5691
p1.tcpvars.hlen = 0;
5692
p1.proto = IPPROTO_TCP;
5693
5694
p2.tcpvars.comp_csum = -1;
5695
p2.ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
5696
p2.tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
5697
p2.src.family = AF_INET;
5698
p2.dst.family = AF_INET;
5699
p2.tcpvars.hlen = TCP_GET_HLEN((&p2));
5700
p2.payload = buf;
5701
p2.payload_len = p2.tcpvars.hlen;
5702
p2.tcpvars.hlen = 0;
5703
p2.proto = IPPROTO_TCP;
6646
memset(p1, 0, SIZE_OF_PACKET);
6647
p1->pkt = (uint8_t *)(p1 + 1);
6648
memset(p2, 0, SIZE_OF_PACKET);
6649
p2->pkt = (uint8_t *)(p2 + 1);
6650
6651
p1->tcpvars.comp_csum = -1;
6652
p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
6653
p1->tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
6654
p1->src.family = AF_INET;
6655
p1->dst.family = AF_INET;
6656
p1->payload = valid_raw_ipv6 + 54 + 20;
6657
p1->payload_len = 12;
6658
p1->proto = IPPROTO_TCP;
6659
6660
if (TCP_GET_HLEN(p1) != 20) {
6661
BUG_ON(1);
6662
}
6663
6664
p2->tcpvars.comp_csum = -1;
6665
p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
6666
p2->tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
6667
p2->src.family = AF_INET;
6668
p2->dst.family = AF_INET;
6669
p2->payload = invalid_raw_ipv6 + 54 + 20;;
6670
p2->payload_len = 12;
6671
p2->proto = IPPROTO_TCP;
6672
6673
if (TCP_GET_HLEN(p2) != 20) {
6674
BUG_ON(1);
6675
}
5704
6676
5705
6677
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5706
6678
if (de_ctx == NULL) {
5711
6683
5712
6684
de_ctx->sig_list = SigInit(de_ctx,
5713
6685
"alert tcp any any -> any any "
5714
"(content:\"/one/\"; tcpv6-csum:invalid; "
6686
"(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
5715
6687
"msg:\"tcpv6-csum keyword check(1)\"; "
5716
6688
"sid:1;)");
5717
6689
if (de_ctx->sig_list == NULL) {
5718
result &= 0;
5719
6690
goto end;
5720
6691
}
5721
6692
5722
6693
de_ctx->sig_list->next = SigInit(de_ctx,
5723
6694
"alert tcp any any -> any any "
5724
"(content:\"/one/\"; tcpv6-csum:valid; "
6695
"(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
5725
6696
"msg:\"tcpv6-csum keyword check(1)\"; "
5726
6697
"sid:2;)");
5727
6698
if (de_ctx->sig_list->next == NULL) {
5728
result &= 0;
5729
6699
goto end;
5730
6700
}
5731
6701
5732
6702
SigGroupBuild(de_ctx);
5733
//PatternMatchPrepare(mpm_ctx, MPM_B2G);
5734
6703
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
5735
6704
5736
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1);
5737
if (PacketAlertCheck(&p1, 1))
5738
result &= 0;
5739
else
5740
result &= 1;
5741
5742
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2);
5743
if (PacketAlertCheck(&p2, 2))
5744
result &= 0;
5745
else
5746
result &= 1;
5747
6705
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
6706
if (PacketAlertCheck(p1, 1))
6707
goto end;
6708
6709
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
6710
if (PacketAlertCheck(p2, 2))
6711
goto end;
6712
6713
result = 1;
6714
end:
5748
6715
SigGroupCleanup(de_ctx);
5749
6716
SigCleanSignatures(de_ctx);
5750
6717
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
5751
//PatternMatchDestroy(mpm_ctx);
5752
6718
DetectEngineCtxFree(de_ctx);
5753
end:
6719
SCFree(p1);
6720
SCFree(p2);
5754
6721
return result;
5755
6722
}
5756
6723
5787
6754
0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
5788
6755
0x67, 0x6c, 0x65, 0xc0, 0x27};
5789
6756
5790
Packet p1, p2;
6757
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
6758
if (p1 == NULL)
6759
return 0;
6760
Packet *p2 = SCMalloc(SIZE_OF_PACKET);
6761
if (p2 == NULL)
6762
return 0;
5791
6763
ThreadVars th_v;
5792
6764
DetectEngineThreadCtx *det_ctx;
5793
6765
int result = 1;
5796
6768
"\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
5797
6769
5798
6770
memset(&th_v, 0, sizeof(ThreadVars));
5799
memset(&p1, 0, sizeof(Packet));
5800
memset(&p2, 0, sizeof(Packet));
5801
5802
p1.udpvars.comp_csum = -1;
5803
p1.ip4h = (IPV4Hdr *)raw_ipv4;
5804
p1.udph = (UDPHdr *)valid_raw_udp;
5805
p1.src.family = AF_INET;
5806
p1.dst.family = AF_INET;
5807
p1.payload = buf;
5808
p1.payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
5809
p1.proto = IPPROTO_UDP;
5810
5811
p2.udpvars.comp_csum = -1;
5812
p2.ip4h = (IPV4Hdr *)raw_ipv4;
5813
p2.udph = (UDPHdr *)invalid_raw_udp;
5814
p2.src.family = AF_INET;
5815
p2.dst.family = AF_INET;
5816
p2.payload = buf;
5817
p2.payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
5818
p2.proto = IPPROTO_UDP;
6771
memset(p1, 0, SIZE_OF_PACKET);
6772
p1->pkt = (uint8_t *)(p1 + 1);
6773
memset(p2, 0, SIZE_OF_PACKET);
6774
p2->pkt = (uint8_t *)(p2 + 1);
6775
6776
p1->udpvars.comp_csum = -1;
6777
p1->ip4h = (IPV4Hdr *)raw_ipv4;
6778
p1->udph = (UDPHdr *)valid_raw_udp;
6779
p1->src.family = AF_INET;
6780
p1->dst.family = AF_INET;
6781
p1->payload = buf;
6782
p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
6783
p1->proto = IPPROTO_UDP;
6784
6785
p2->udpvars.comp_csum = -1;
6786
p2->ip4h = (IPV4Hdr *)raw_ipv4;
6787
p2->udph = (UDPHdr *)invalid_raw_udp;
6788
p2->src.family = AF_INET;
6789
p2->dst.family = AF_INET;
6790
p2->payload = buf;
6791
p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
6792
p2->proto = IPPROTO_UDP;
5819
6793
5820
6794
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5821
6795
if (de_ctx == NULL) {
5848
6822
//PatternMatchPrepare(mpm_ctx, MPM_B2G);
5849
6823
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
5850
6824
5851
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1);
5852
if (PacketAlertCheck(&p1, 1))
6825
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
6826
if (PacketAlertCheck(p1, 1))
5853
6827
result &= 1;
5854
6828
else
5855
6829
result &= 0;
5856
6830
5857
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2);
5858
if (PacketAlertCheck(&p2, 2))
6831
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
6832
if (PacketAlertCheck(p2, 2))
5859
6833
result &= 1;
5860
6834
else
5861
6835
result &= 0;
5866
6840
//PatternMatchDestroy(mpm_ctx);
5867
6841
DetectEngineCtxFree(de_ctx);
5868
6842
end:
6843
SCFree(p1);
6844
SCFree(p2);
5869
6845
return result;
5870
6846
}
5871
6847
5902
6878
0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
5903
6879
0x67, 0x6c, 0x65, 0xc0, 0x27};
5904
6880
5905
Packet p1, p2;
6881
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
6882
if (p1 == NULL)
6883
return 0;
6884
Packet *p2 = SCMalloc(SIZE_OF_PACKET);
6885
if (p2 == NULL)
6886
return 0;
5906
6887
ThreadVars th_v;
5907
6888
DetectEngineThreadCtx *det_ctx;
5908
6889
int result = 1;
5911
6892
"\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
5912
6893
5913
6894
memset(&th_v, 0, sizeof(ThreadVars));
5914
memset(&p1, 0, sizeof(Packet));
5915
memset(&p2, 0, sizeof(Packet));
5916
5917
p1.udpvars.comp_csum = -1;
5918
p1.ip4h = (IPV4Hdr *)raw_ipv4;
5919
p1.udph = (UDPHdr *)valid_raw_udp;
5920
p1.src.family = AF_INET;
5921
p1.dst.family = AF_INET;
5922
p1.payload = buf;
5923
p1.payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
5924
p1.proto = IPPROTO_UDP;
5925
5926
p2.udpvars.comp_csum = -1;
5927
p2.ip4h = (IPV4Hdr *)raw_ipv4;
5928
p2.udph = (UDPHdr *)invalid_raw_udp;
5929
p2.src.family = AF_INET;
5930
p2.dst.family = AF_INET;
5931
p2.payload = buf;
5932
p2.payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
5933
p2.proto = IPPROTO_UDP;
6895
memset(p1, 0, SIZE_OF_PACKET);
6896
p1->pkt = (uint8_t *)(p1 + 1);
6897
memset(p2, 0, SIZE_OF_PACKET);
6898
p2->pkt = (uint8_t *)(p2 + 1);
6899
6900
p1->udpvars.comp_csum = -1;
6901
p1->ip4h = (IPV4Hdr *)raw_ipv4;
6902
p1->udph = (UDPHdr *)valid_raw_udp;
6903
p1->src.family = AF_INET;
6904
p1->dst.family = AF_INET;
6905
p1->payload = buf;
6906
p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
6907
p1->proto = IPPROTO_UDP;
6908
6909
p2->udpvars.comp_csum = -1;
6910
p2->ip4h = (IPV4Hdr *)raw_ipv4;
6911
p2->udph = (UDPHdr *)invalid_raw_udp;
6912
p2->src.family = AF_INET;
6913
p2->dst.family = AF_INET;
6914
p2->payload = buf;
6915
p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
6916
p2->proto = IPPROTO_UDP;
5934
6917
5935
6918
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5936
6919
if (de_ctx == NULL) {
5962
6945
//PatternMatchPrepare(mpm_ctx, MPM_B2G);
5963
6946
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
5964
6947
5965
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1);
5966
if (PacketAlertCheck(&p1, 1))
6948
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
6949
if (PacketAlertCheck(p1, 1))
5967
6950
result &= 0;
5968
6951
else
5969
6952
result &= 1;
5970
6953
5971
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2);
5972
if (PacketAlertCheck(&p2, 2)) {
6954
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
6955
if (PacketAlertCheck(p2, 2)) {
5973
6956
result &= 0;
5974
6957
}
5975
6958
else
5981
6964
//PatternMatchDestroy(mpm_ctx);
5982
6965
DetectEngineCtxFree(de_ctx);
5983
6966
end:
6967
SCFree(p1);
6968
SCFree(p2);
5984
6969
return result;
5985
6970
}
5986
6971
6011
6996
0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
6012
6997
0x09, 0x01};
6013
6998
6014
Packet p1, p2;
6999
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
7000
if (p1 == NULL)
7001
return 0;
7002
Packet *p2 = SCMalloc(SIZE_OF_PACKET);
7003
if (p2 == NULL)
7004
return 0;
6015
7005
ThreadVars th_v;
6016
7006
DetectEngineThreadCtx *det_ctx;
6017
7007
int result = 1;
6020
7010
"\r\n\r\n";
6021
7011
6022
7012
memset(&th_v, 0, sizeof(ThreadVars));
6023
memset(&p1, 0, sizeof(Packet));
6024
memset(&p2, 0, sizeof(Packet));
6025
6026
p1.udpvars.comp_csum = -1;
6027
p1.ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
6028
p1.udph = (UDPHdr *) (valid_raw_ipv6 + 54);
6029
p1.src.family = AF_INET;
6030
p1.dst.family = AF_INET;
6031
p1.payload = buf;
6032
p1.payload_len = IPV6_GET_PLEN((&p1)) - UDP_HEADER_LEN;
6033
p1.proto = IPPROTO_UDP;
6034
6035
p2.udpvars.comp_csum = -1;
6036
p2.ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
6037
p2.udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
6038
p2.src.family = AF_INET;
6039
p2.dst.family = AF_INET;
6040
p2.payload = buf;
6041
p2.payload_len = IPV6_GET_PLEN((&p2)) - UDP_HEADER_LEN;
6042
p2.proto = IPPROTO_UDP;
7013
memset(p1, 0, SIZE_OF_PACKET);
7014
p1->pkt = (uint8_t *)(p1 + 1);
7015
memset(p2, 0, SIZE_OF_PACKET);
7016
p2->pkt = (uint8_t *)(p2 + 1);
7017
7018
p1->udpvars.comp_csum = -1;
7019
p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
7020
p1->udph = (UDPHdr *) (valid_raw_ipv6 + 54);
7021
p1->src.family = AF_INET;
7022
p1->dst.family = AF_INET;
7023
p1->payload = buf;
7024
p1->payload_len = IPV6_GET_PLEN((p1)) - UDP_HEADER_LEN;
7025
p1->proto = IPPROTO_UDP;
7026
7027
p2->udpvars.comp_csum = -1;
7028
p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
7029
p2->udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
7030
p2->src.family = AF_INET;
7031
p2->dst.family = AF_INET;
7032
p2->payload = buf;
7033
p2->payload_len = IPV6_GET_PLEN((p2)) - UDP_HEADER_LEN;
7034
p2->proto = IPPROTO_UDP;
6043
7035
6044
7036
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
6045
7037
if (de_ctx == NULL) {
6071
7063
//PatternMatchPrepare(mpm_ctx, MPM_B2G);
6072
7064
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
6073
7065
6074
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1);
6075
if (PacketAlertCheck(&p1, 1))
7066
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
7067
if (PacketAlertCheck(p1, 1))
6076
7068
result &= 1;
6077
7069
else
6078
7070
result &= 0;
6079
7071
6080
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2);
6081
if (PacketAlertCheck(&p2, 2))
7072
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
7073
if (PacketAlertCheck(p2, 2))
6082
7074
result &= 1;
6083
7075
else
6084
7076
result &= 0;
6089
7081
//PatternMatchDestroy(mpm_ctx);
6090
7082
DetectEngineCtxFree(de_ctx);
6091
7083
end:
7084
SCFree(p1);
7085
SCFree(p2);
6092
7086
return result;
6093
7087
}
6094
7088
6118
7112
0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
6119
7113
0x09, 0x01};
6120
7114
6121
Packet p1, p2;
7115
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
7116
if (p1 == NULL)
7117
return 0;
7118
Packet *p2 = SCMalloc(SIZE_OF_PACKET);
7119
if (p2 == NULL)
7120
return 0;
6122
7121
ThreadVars th_v;
6123
7122
DetectEngineThreadCtx *det_ctx;
6124
7123
int result = 1;
6127
7126
"\r\n\r\n";
6128
7127
6129
7128
memset(&th_v, 0, sizeof(ThreadVars));
6130
memset(&p1, 0, sizeof(Packet));
6131
memset(&p2, 0, sizeof(Packet));
6132
6133
p1.udpvars.comp_csum = -1;
6134
p1.ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
6135
p1.udph = (UDPHdr *) (valid_raw_ipv6 + 54);
6136
p1.src.family = AF_INET;
6137
p1.dst.family = AF_INET;
6138
p1.payload = buf;
6139
p1.payload_len = IPV6_GET_PLEN((&p1)) - UDP_HEADER_LEN;
6140
p1.proto = IPPROTO_UDP;
6141
6142
p2.udpvars.comp_csum = -1;
6143
p2.ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
6144
p2.udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
6145
p2.src.family = AF_INET;
6146
p2.dst.family = AF_INET;
6147
p2.payload = buf;
6148
p2.payload_len = IPV6_GET_PLEN((&p2)) - UDP_HEADER_LEN;
6149
p2.proto = IPPROTO_UDP;
7129
memset(p1, 0, SIZE_OF_PACKET);
7130
p1->pkt = (uint8_t *)(p1 + 1);
7131
memset(p2, 0, SIZE_OF_PACKET);
7132
p2->pkt = (uint8_t *)(p2 + 1);
7133
7134
p1->udpvars.comp_csum = -1;
7135
p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
7136
p1->udph = (UDPHdr *) (valid_raw_ipv6 + 54);
7137
p1->src.family = AF_INET;
7138
p1->dst.family = AF_INET;
7139
p1->payload = buf;
7140
p1->payload_len = IPV6_GET_PLEN((p1)) - UDP_HEADER_LEN;
7141
p1->proto = IPPROTO_UDP;
7142
7143
p2->udpvars.comp_csum = -1;
7144
p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
7145
p2->udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
7146
p2->src.family = AF_INET;
7147
p2->dst.family = AF_INET;
7148
p2->payload = buf;
7149
p2->payload_len = IPV6_GET_PLEN((p2)) - UDP_HEADER_LEN;
7150
p2->proto = IPPROTO_UDP;
6150
7151
6151
7152
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
6152
7153
if (de_ctx == NULL) {
6178
7179
//PatternMatchPrepare(mpm_ctx, MPM_B2G);
6179
7180
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
6180
7181
6181
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1);
6182
if (PacketAlertCheck(&p1, 1))
7182
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
7183
if (PacketAlertCheck(p1, 1))
6183
7184
result &= 0;
6184
7185
else
6185
7186
result &= 1;
6186
7187
6187
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2);
6188
if (PacketAlertCheck(&p2, 2))
7188
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
7189
if (PacketAlertCheck(p2, 2))
6189
7190
result &= 0;
6190
7191
else
6191
7192
result &= 1;
6196
7197
//PatternMatchDestroy(mpm_ctx);
6197
7198
DetectEngineCtxFree(de_ctx);
6198
7199
end:
7200
SCFree(p1);
7201
SCFree(p2);
6199
7202
return result;
6200
7203
}
6201
7204
6227
7230
0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
6228
7231
0x34, 0x35, 0x36, 0x38};
6229
7232
6230
Packet p1, p2;
7233
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
7234
if (p1 == NULL)
7235
return 0;
7236
Packet *p2 = SCMalloc(SIZE_OF_PACKET);
7237
if (p2 == NULL)
7238
return 0;
6231
7239
ThreadVars th_v;
6232
7240
DetectEngineThreadCtx *det_ctx;
6233
7241
int result = 1;
6237
7245
uint16_t buflen = strlen((char *)buf);
6238
7246
6239
7247
memset(&th_v, 0, sizeof(ThreadVars));
6240
memset(&p1, 0, sizeof(Packet));
6241
memset(&p2, 0, sizeof(Packet));
6242
6243
p1.icmpv4vars.comp_csum = -1;
6244
p1.ip4h = (IPV4Hdr *)(valid_raw_ipv4);
6245
p1.ip4h->ip_verhl = 69;
6246
p1.icmpv4h = (ICMPV4Hdr *) (valid_raw_ipv4 + IPV4_GET_RAW_HLEN(p1.ip4h) * 4);
6247
p1.src.family = AF_INET;
6248
p1.dst.family = AF_INET;
6249
p1.payload = buf;
6250
p1.payload_len = buflen;
6251
p1.proto = IPPROTO_ICMP;
6252
6253
p2.icmpv4vars.comp_csum = -1;
6254
p2.ip4h = (IPV4Hdr *)(invalid_raw_ipv4);
6255
p2.ip4h->ip_verhl = 69;
6256
p2.icmpv4h = (ICMPV4Hdr *) (invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(p2.ip4h) * 4);
6257
p2.src.family = AF_INET;
6258
p2.dst.family = AF_INET;
6259
p2.payload = buf;
6260
p2.payload_len = buflen;
6261
p2.proto = IPPROTO_ICMP;
7248
memset(p1, 0, SIZE_OF_PACKET);
7249
p1->pkt = (uint8_t *)(p1 + 1);
7250
memset(p2, 0, SIZE_OF_PACKET);
7251
p2->pkt = (uint8_t *)(p2 + 1);
7252
7253
p1->icmpv4vars.comp_csum = -1;
7254
p1->ip4h = (IPV4Hdr *)(valid_raw_ipv4);
7255
p1->ip4h->ip_verhl = 69;
7256
p1->icmpv4h = (ICMPV4Hdr *) (valid_raw_ipv4 + IPV4_GET_RAW_HLEN(p1->ip4h) * 4);
7257
p1->src.family = AF_INET;
7258
p1->dst.family = AF_INET;
7259
p1->payload = buf;
7260
p1->payload_len = buflen;
7261
p1->proto = IPPROTO_ICMP;
7262
7263
p2->icmpv4vars.comp_csum = -1;
7264
p2->ip4h = (IPV4Hdr *)(invalid_raw_ipv4);
7265
p2->ip4h->ip_verhl = 69;
7266
p2->icmpv4h = (ICMPV4Hdr *) (invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(p2->ip4h) * 4);
7267
p2->src.family = AF_INET;
7268
p2->dst.family = AF_INET;
7269
p2->payload = buf;
7270
p2->payload_len = buflen;
7271
p2->proto = IPPROTO_ICMP;
6262
7272
6263
7273
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
6264
7274
if (de_ctx == NULL) {
6289
7299
SigGroupBuild(de_ctx);
6290
7300
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
6291
7301
6292
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1);
6293
if (PacketAlertCheck(&p1, 1))
7302
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
7303
if (PacketAlertCheck(p1, 1))
6294
7304
result &= 1;
6295
7305
else
6296
7306
result &= 0;
6297
7307
6298
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2);
6299
if (PacketAlertCheck(&p2, 2))
7308
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
7309
if (PacketAlertCheck(p2, 2))
6300
7310
result &= 1;
6301
7311
else
6302
7312
result &= 0;
6306
7316
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
6307
7317
DetectEngineCtxFree(de_ctx);
6308
7318
end:
7319
SCFree(p1);
7320
SCFree(p2);
6309
7321
return result;
6310
7322
}
6311
7323
6337
7349
0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
6338
7350
0x34, 0x35, 0x36, 0x38};
6339
7351
6340
Packet p1, p2;
7352
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
7353
if (p1 == NULL)
7354
return 0;
7355
Packet *p2 = SCMalloc(SIZE_OF_PACKET);
7356
if (p2 == NULL)
7357
return 0;
6341
7358
ThreadVars th_v;
6342
7359
DetectEngineThreadCtx *det_ctx;
6343
7360
int result = 1;
6347
7364
uint16_t buflen = strlen((char *)buf);
6348
7365
6349
7366
memset(&th_v, 0, sizeof(ThreadVars));
6350
memset(&p1, 0, sizeof(Packet));
6351
memset(&p2, 0, sizeof(Packet));
6352
6353
p1.icmpv4vars.comp_csum = -1;
6354
p1.ip4h = (IPV4Hdr *)(valid_raw_ipv4);
6355
p1.ip4h->ip_verhl = 69;
6356
p1.icmpv4h = (ICMPV4Hdr *) (valid_raw_ipv4 + IPV4_GET_RAW_HLEN(p1.ip4h) * 4);
6357
p1.src.family = AF_INET;
6358
p1.dst.family = AF_INET;
6359
p1.payload = buf;
6360
p1.payload_len = buflen;
6361
p1.proto = IPPROTO_ICMP;
6362
6363
p2.icmpv4vars.comp_csum = -1;
6364
p2.ip4h = (IPV4Hdr *)(invalid_raw_ipv4);
6365
p2.ip4h->ip_verhl = 69;
6366
p2.icmpv4h = (ICMPV4Hdr *) (invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(p2.ip4h) * 4);
6367
p2.src.family = AF_INET;
6368
p2.dst.family = AF_INET;
6369
p2.payload = buf;
6370
p2.payload_len = buflen;
6371
p2.proto = IPPROTO_ICMP;
7367
memset(p1, 0, SIZE_OF_PACKET);
7368
p1->pkt = (uint8_t *)(p1 + 1);
7369
memset(p2, 0, SIZE_OF_PACKET);
7370
p2->pkt = (uint8_t *)(p2 + 1);
7371
7372
p1->icmpv4vars.comp_csum = -1;
7373
p1->ip4h = (IPV4Hdr *)(valid_raw_ipv4);
7374
p1->ip4h->ip_verhl = 69;
7375
p1->icmpv4h = (ICMPV4Hdr *) (valid_raw_ipv4 + IPV4_GET_RAW_HLEN(p1->ip4h) * 4);
7376
p1->src.family = AF_INET;
7377
p1->dst.family = AF_INET;
7378
p1->payload = buf;
7379
p1->payload_len = buflen;
7380
p1->proto = IPPROTO_ICMP;
7381
7382
p2->icmpv4vars.comp_csum = -1;
7383
p2->ip4h = (IPV4Hdr *)(invalid_raw_ipv4);
7384
p2->ip4h->ip_verhl = 69;
7385
p2->icmpv4h = (ICMPV4Hdr *) (invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(p2->ip4h) * 4);
7386
p2->src.family = AF_INET;
7387
p2->dst.family = AF_INET;
7388
p2->payload = buf;
7389
p2->payload_len = buflen;
7390
p2->proto = IPPROTO_ICMP;
6372
7391
6373
7392
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
6374
7393
if (de_ctx == NULL) {
6400
7419
//PatternMatchPrepare(mpm_ctx, MPM_B2G);
6401
7420
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
6402
7421
6403
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1);
6404
if (PacketAlertCheck(&p1, 1))
7422
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
7423
if (PacketAlertCheck(p1, 1))
6405
7424
result &= 0;
6406
7425
else
6407
7426
result &= 1;
6408
7427
6409
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2);
6410
if (PacketAlertCheck(&p2, 2))
7428
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
7429
if (PacketAlertCheck(p2, 2))
6411
7430
result &= 0;
6412
7431
else {
6413
7432
result &= 1;
6419
7438
//PatternMatchDestroy(mpm_ctx);
6420
7439
DetectEngineCtxFree(de_ctx);
6421
7440
end:
7441
SCFree(p1);
7442
SCFree(p2);
6422
7443
return result;
6423
7444
}
6424
7445
6460
7481
0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0xf5, 0xed,
6461
7482
0x08, 0x01};
6462
7483
6463
Packet p1, p2;
7484
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
7485
if (p1 == NULL)
7486
return 0;
7487
Packet *p2 = SCMalloc(SIZE_OF_PACKET);
7488
if (p2 == NULL)
7489
return 0;
6464
7490
ThreadVars th_v;
6465
7491
DetectEngineThreadCtx *det_ctx;
6466
7492
int result = 1;
6470
7496
uint16_t buflen = strlen((char *)buf);
6471
7497
6472
7498
memset(&th_v, 0, sizeof(ThreadVars));
6473
memset(&p1, 0, sizeof(Packet));
6474
memset(&p2, 0, sizeof(Packet));
6475
6476
p1.icmpv6vars.comp_csum = -1;
6477
p1.ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
6478
p1.icmpv6h = (ICMPV6Hdr *) (valid_raw_ipv6 + 54);
6479
p1.src.family = AF_INET;
6480
p1.dst.family = AF_INET;
6481
p1.payload = buf;
6482
p1.payload_len = buflen;
6483
p1.proto = IPPROTO_ICMPV6;
6484
6485
p2.icmpv6vars.comp_csum = -1;
6486
p2.ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
6487
p2.icmpv6h = (ICMPV6Hdr *) (invalid_raw_ipv6 + 54);
6488
p2.src.family = AF_INET;
6489
p2.dst.family = AF_INET;
6490
p2.payload = buf;
6491
p2.payload_len = buflen;
6492
p2.proto = IPPROTO_ICMPV6;
7499
memset(p1, 0, SIZE_OF_PACKET);
7500
p1->pkt = (uint8_t *)(p1 + 1);
7501
memset(p2, 0, SIZE_OF_PACKET);
7502
p2->pkt = (uint8_t *)(p2 + 1);
7503
7504
p1->icmpv6vars.comp_csum = -1;
7505
p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
7506
p1->icmpv6h = (ICMPV6Hdr *) (valid_raw_ipv6 + 54);
7507
p1->src.family = AF_INET;
7508
p1->dst.family = AF_INET;
7509
p1->payload = buf;
7510
p1->payload_len = buflen;
7511
p1->proto = IPPROTO_ICMPV6;
7512
7513
p2->icmpv6vars.comp_csum = -1;
7514
p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
7515
p2->icmpv6h = (ICMPV6Hdr *) (invalid_raw_ipv6 + 54);
7516
p2->src.family = AF_INET;
7517
p2->dst.family = AF_INET;
7518
p2->payload = buf;
7519
p2->payload_len = buflen;
7520
p2->proto = IPPROTO_ICMPV6;
6493
7521
6494
7522
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
6495
7523
if (de_ctx == NULL) {
6521
7549
//PatternMatchPrepare(mpm_ctx, MPM_B2G);
6522
7550
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
6523
7551
6524
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1);
6525
if (PacketAlertCheck(&p1, 1))
7552
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
7553
if (PacketAlertCheck(p1, 1))
6526
7554
result &= 1;
6527
7555
else
6528
7556
result &= 0;
6529
7557
6530
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2);
6531
if (PacketAlertCheck(&p2, 2))
7558
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
7559
if (PacketAlertCheck(p2, 2))
6532
7560
result &= 1;
6533
7561
else
6534
7562
result &= 0;
6539
7567
//PatternMatchDestroy(mpm_ctx);
6540
7568
DetectEngineCtxFree(de_ctx);
6541
7569
end:
7570
SCFree(p1);
7571
SCFree(p2);
6542
7572
return result;
6543
7573
}
6544
7574
6580
7610
0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0xf5, 0xed,
6581
7611
0x08, 0x01};
6582
7612
6583
Packet p1, p2;
7613
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
7614
if (p1 == NULL)
7615
return 0;
7616
Packet *p2 = SCMalloc(SIZE_OF_PACKET);
7617
if (p2 == NULL)
7618
return 0;
6584
7619
ThreadVars th_v;
6585
7620
DetectEngineThreadCtx *det_ctx;
6586
7621
int result = 1;
6590
7625
uint16_t buflen = strlen((char *)buf);
6591
7626
6592
7627
memset(&th_v, 0, sizeof(ThreadVars));
6593
memset(&p1, 0, sizeof(Packet));
6594
memset(&p2, 0, sizeof(Packet));
6595
6596
p1.icmpv6vars.comp_csum = -1;
6597
p1.ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
6598
p1.icmpv6h = (ICMPV6Hdr *) (valid_raw_ipv6 + 54);
6599
p1.src.family = AF_INET;
6600
p1.dst.family = AF_INET;
6601
p1.payload = buf;
6602
p1.payload_len = buflen;
6603
p1.proto = IPPROTO_ICMPV6;
6604
6605
p2.icmpv6vars.comp_csum = -1;
6606
p2.ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
6607
p2.icmpv6h = (ICMPV6Hdr *) (invalid_raw_ipv6 + 54);
6608
p2.src.family = AF_INET;
6609
p2.dst.family = AF_INET;
6610
p2.payload = buf;
6611
p2.payload_len = buflen;
6612
p2.proto = IPPROTO_ICMPV6;
7628
memset(p1, 0, SIZE_OF_PACKET);
7629
p1->pkt = (uint8_t *)(p1 + 1);
7630
memset(p2, 0, SIZE_OF_PACKET);
7631
p2->pkt = (uint8_t *)(p2 + 1);
7632
7633
p1->icmpv6vars.comp_csum = -1;
7634
p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
7635
p1->icmpv6h = (ICMPV6Hdr *) (valid_raw_ipv6 + 54);
7636
p1->src.family = AF_INET;
7637
p1->dst.family = AF_INET;
7638
p1->payload = buf;
7639
p1->payload_len = buflen;
7640
p1->proto = IPPROTO_ICMPV6;
7641
7642
p2->icmpv6vars.comp_csum = -1;
7643
p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
7644
p2->icmpv6h = (ICMPV6Hdr *) (invalid_raw_ipv6 + 54);
7645
p2->src.family = AF_INET;
7646
p2->dst.family = AF_INET;
7647
p2->payload = buf;
7648
p2->payload_len = buflen;
7649
p2->proto = IPPROTO_ICMPV6;
6613
7650
6614
7651
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
6615
7652
if (de_ctx == NULL) {
6641
7678
//PatternMatchPrepare(mpm_ctx, MPM_B2G);
6642
7679
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
6643
7680
6644
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1);
6645
if (PacketAlertCheck(&p1, 1))
7681
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
7682
if (PacketAlertCheck(p1, 1))
6646
7683
result &= 0;
6647
7684
else
6648
7685
result &= 1;
6649
7686
6650
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2);
6651
if (PacketAlertCheck(&p2, 2))
7687
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
7688
if (PacketAlertCheck(p2, 2))
6652
7689
result &= 0;
6653
7690
else
6654
7691
result &= 1;
6659
7696
//PatternMatchDestroy(mpm_ctx);
6660
7697
DetectEngineCtxFree(de_ctx);
6661
7698
end:
7699
SCFree(p1);
7700
SCFree(p2);
6662
7701
return result;
6663
7702
}
6664
7703
6665
7704
int SigTest38Real(int mpm_type)
6666
7705
{
6667
Packet p1;
7706
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
7707
if (p1 == NULL)
7708
return 0;
6668
7709
ThreadVars th_v;
6669
7710
DetectEngineThreadCtx *det_ctx;
6670
7711
int result = 1;
6703
7744
uint16_t buflen = sizeof(buf);
6704
7745
6705
7746
memset(&th_v, 0, sizeof(ThreadVars));
6706
memset(&p1, 0, sizeof(Packet));
7747
memset(p1, 0, SIZE_OF_PACKET);
7748
p1->pkt = (uint8_t *)(p1 + 1);
6707
7749
6708
7750
/* Copy raw data into packet */
6709
memcpy(&p1.pkt, raw_eth, ethlen);
6710
memcpy(p1.pkt + ethlen, raw_ipv4, ipv4len);
6711
memcpy(p1.pkt + ethlen + ipv4len, raw_tcp, tcplen);
6712
memcpy(p1.pkt + ethlen + ipv4len + tcplen, buf, buflen);
6713
p1.pktlen = ethlen + ipv4len + tcplen + buflen;
7751
if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
7752
SCFree(p1);
7753
return 1;
7754
}
7755
if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
7756
SCFree(p1);
7757
return 1;
7758
}
7759
if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
7760
SCFree(p1);
7761
return 1;
7762
}
7763
if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
7764
SCFree(p1);
7765
return 1;
7766
}
7767
SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
6714
7768
6715
p1.tcpvars.comp_csum = -1;
6716
p1.ethh = (EthernetHdr *)raw_eth;
6717
p1.ip4h = (IPV4Hdr *)raw_ipv4;
6718
p1.tcph = (TCPHdr *)raw_tcp;
6719
p1.tcpvars.hlen = 0;
6720
p1.src.family = AF_INET;
6721
p1.dst.family = AF_INET;
6722
p1.payload = p1.pkt + ethlen + ipv4len + tcplen;
6723
p1.payload_len = buflen;
6724
p1.proto = IPPROTO_TCP;
7769
p1->tcpvars.comp_csum = -1;
7770
p1->ethh = (EthernetHdr *)raw_eth;
7771
p1->ip4h = (IPV4Hdr *)raw_ipv4;
7772
p1->tcph = (TCPHdr *)raw_tcp;
7773
p1->src.family = AF_INET;
7774
p1->dst.family = AF_INET;
7775
p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
7776
p1->payload_len = buflen;
7777
p1->proto = IPPROTO_TCP;
6725
7778
6726
7779
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
6727
7780
if (de_ctx == NULL) {
6753
7806
SigGroupBuild(de_ctx);
6754
7807
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6755
7808
6756
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1);
6757
if (PacketAlertCheck(&p1, 1)) {
7809
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
7810
if (PacketAlertCheck(p1, 1)) {
6758
7811
result = 1;
6759
7812
} else {
6760
7813
result = 0;
6761
7814
printf("sid 1 didn't alert, but should have: ");
6762
7815
goto cleanup;
6763
7816
}
6764
if (PacketAlertCheck(&p1, 2)) {
7817
if (PacketAlertCheck(p1, 2)) {
6765
7818
result = 1;
6766
7819
} else {
6767
7820
result = 0;
6777
7830
DetectEngineCtxFree(de_ctx);
6778
7831
6779
7832
end:
7833
SCFree(p1);
6780
7834
return result;
6781
7835
}
6782
7836
static int SigTest38B2g (void) {
6791
7845
6792
7846
int SigTest39Real(int mpm_type)
6793
7847
{
6794
Packet p1;
7848
Packet *p1 = SCMalloc(SIZE_OF_PACKET);
7849
if (p1 == NULL)
7850
return 0;
6795
7851
ThreadVars th_v;
6796
7852
DetectEngineThreadCtx *det_ctx;
6797
7853
int result = 1;
6830
7886
uint16_t buflen = sizeof(buf);
6831
7887
6832
7888
memset(&th_v, 0, sizeof(ThreadVars));
6833
memset(&p1, 0, sizeof(Packet));
7889
memset(p1, 0, SIZE_OF_PACKET);
7890
p1->pkt = (uint8_t *)(p1 + 1);
6834
7891
6835
7892
/* Copy raw data into packet */
6836
memcpy(&p1.pkt, raw_eth, ethlen);
6837
memcpy(p1.pkt + ethlen, raw_ipv4, ipv4len);
6838
memcpy(p1.pkt + ethlen + ipv4len, raw_tcp, tcplen);
6839
memcpy(p1.pkt + ethlen + ipv4len + tcplen, buf, buflen);
6840
p1.pktlen = ethlen + ipv4len + tcplen + buflen;
7893
if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
7894
SCFree(p1);
7895
return 1;
7896
}
7897
if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
7898
SCFree(p1);
7899
return 1;
7900
}
7901
if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
7902
SCFree(p1);
7903
return 1;
7904
}
7905
if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
7906
SCFree(p1);
7907
return 1;
7908
}
7909
SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
6841
7910
6842
p1.tcpvars.comp_csum = -1;
6843
p1.ethh = (EthernetHdr *)raw_eth;
6844
p1.ip4h = (IPV4Hdr *)raw_ipv4;
6845
p1.tcph = (TCPHdr *)raw_tcp;
6846
p1.tcpvars.hlen = 0;
6847
p1.src.family = AF_INET;
6848
p1.dst.family = AF_INET;
6849
p1.payload = p1.pkt + ethlen + ipv4len + tcplen;
6850
p1.payload_len = buflen;
6851
p1.proto = IPPROTO_TCP;
7911
p1->tcpvars.comp_csum = -1;
7912
p1->ethh = (EthernetHdr *)raw_eth;
7913
p1->ip4h = (IPV4Hdr *)raw_ipv4;
7914
p1->tcph = (TCPHdr *)raw_tcp;
7915
p1->src.family = AF_INET;
7916
p1->dst.family = AF_INET;
7917
p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
7918
p1->payload_len = buflen;
7919
p1->proto = IPPROTO_TCP;
6852
7920
6853
7921
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
6854
7922
if (de_ctx == NULL) {
6885
7953
SigGroupBuild(de_ctx);
6886
7954
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6887
7955
6888
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1);
6889
if (PacketAlertCheck(&p1, 1)) {
7956
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
7957
if (PacketAlertCheck(p1, 1)) {
6890
7958
result = 1;
6891
7959
} else {
6892
7960
result = 0;
6893
7961
printf("sid 1 didn't alert, but should have: ");
6894
7962
goto cleanup;
6895
7963
}
6896
if (PacketAlertCheck(&p1, 2)) {
7964
if (PacketAlertCheck(p1, 2)) {
6897
7965
result = 1;
6898
7966
} else {
6899
7967
result = 0;
6909
7977
DetectEngineCtxFree(de_ctx);
6910
7978
6911
7979
end:
7980
SCFree(p1);
6912
7981
return result;
6913
7982
}
6914
7983
static int SigTest39B2g (void) {
6965
8034
,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
6966
8035
,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
6967
8036
6968
Packet p;
8037
Packet *p = SCMalloc(SIZE_OF_PACKET);
8038
if (p == NULL)
8039
return 0;
6969
8040
DecodeThreadVars dtv;
6970
8041
6971
8042
ThreadVars th_v;
6972
8043
DetectEngineThreadCtx *det_ctx = NULL;
6973
8044
6974
memset(&p, 0, sizeof(Packet));
8045
memset(p, 0, SIZE_OF_PACKET);
8046
p->pkt = (uint8_t *)(p + 1);
6975
8047
memset(&dtv, 0, sizeof(DecodeThreadVars));
6976
8048
memset(&th_v, 0, sizeof(th_v));
6977
8049
6978
8050
FlowInitConfig(FLOW_QUIET);
6979
DecodeEthernet(&th_v, &dtv, &p, raw_eth, sizeof(raw_eth), NULL);
8051
DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth), NULL);
6980
8052
6981
8053
6982
8054
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
6997
8069
//PatternMatchPrepare(mpm_ctx, mpm_type);
6998
8070
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
6999
8071
7000
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
7001
if (PacketAlertCheck(&p, 101) == 0) {
8072
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
8073
if (PacketAlertCheck(p, 101) == 0) {
7002
8074
result = 0;
7003
8075
goto end;
7004
8076
} else {
7013
8085
DetectEngineCtxFree(de_ctx);
7014
8086
FlowShutdown();
7015
8087
8088
SCFree(p);
7016
8089
return result;
7017
8090
7018
8091
end:
7032
8105
7033
8106
FlowShutdown();
7034
8107
8108
SCFree(p);
7035
8109
return result;
7036
8110
}
7037
8111
7078
8152
,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
7079
8153
,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
7080
8154
7081
Packet p;
8155
Packet *p = SCMalloc(SIZE_OF_PACKET);
8156
if (p == NULL)
8157
return 0;
7082
8158
DecodeThreadVars dtv;
7083
8159
7084
8160
ThreadVars th_v;
7085
8161
DetectEngineThreadCtx *det_ctx = NULL;
7086
8162
7087
memset(&p, 0, sizeof(Packet));
8163
memset(p, 0, SIZE_OF_PACKET);
8164
p->pkt = (uint8_t *)(p + 1);
7088
8165
memset(&dtv, 0, sizeof(DecodeThreadVars));
7089
8166
memset(&th_v, 0, sizeof(th_v));
7090
8167
7091
8168
FlowInitConfig(FLOW_QUIET);
7092
DecodeEthernet(&th_v, &dtv, &p, raw_eth, sizeof(raw_eth), NULL);
8169
DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth), NULL);
7093
8170
7094
8171
7095
8172
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
7107
8184
goto end;
7108
8185
}
7109
8186
7110
if (s->pmatch->type != DETECT_CONTENT) {
8187
if (s->sm_lists[DETECT_SM_LIST_PMATCH]->type != DETECT_CONTENT) {
7111
8188
printf("type not content: ");
7112
8189
goto end;
7113
8190
}
7114
8191
/*
7115
if (s->pmatch->next == NULL) {
7116
printf("s->pmatch->next == NULL: ");
8192
if (s->sm_lists[DETECT_SM_LIST_PMATCH]->next == NULL) {
8193
printf("s->sm_lists[DETECT_SM_LIST_PMATCH]->next == NULL: ");
7117
8194
goto end;
7118
8195
}
7119
if (s->pmatch->next->type != DETECT_ISDATAAT) {
8196
if (s->sm_lists[DETECT_SM_LIST_PMATCH]->next->type != DETECT_ISDATAAT) {
7120
8197
printf("type not isdataat: ");
7121
8198
goto end;
7122
8199
}
7124
8201
SigGroupBuild(de_ctx);
7125
8202
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
7126
8203
7127
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
7128
if (PacketAlertCheck(&p, 101) == 0) {
8204
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
8205
if (PacketAlertCheck(p, 101) == 0) {
7129
8206
result = 1;
7130
8207
goto end;
7131
8208
} else {
7140
8217
DetectEngineCtxFree(de_ctx);
7141
8218
FlowShutdown();
7142
8219
8220
SCFree(p);
7143
8221
return result;
7144
8222
7145
8223
end:
7157
8235
7158
8236
FlowShutdown();
7159
8237
8238
SCFree(p);
7160
8239
return result;
7161
8240
}
7162
8241
7193
8272
uint8_t *buf = (uint8_t *)
7194
8273
"220 (vsFTPd 2.0.5)\r\n";
7195
8274
uint16_t buflen = strlen((char *)buf);
7196
Packet p;
8275
Packet *p = SCMalloc(SIZE_OF_PACKET);
8276
TCPHdr tcphdr;
8277
if (p == NULL)
8278
return 0;
7197
8279
ThreadVars th_v;
7198
8280
DetectEngineThreadCtx *det_ctx;
7199
8281
PacketQueue pq;
8282
Flow f;
7200
8283
int result = 0;
7201
8284
7202
8285
memset(&th_v, 0, sizeof(th_v));
7203
memset(&p, 0, sizeof(p));
8286
memset(p, 0, SIZE_OF_PACKET);
8287
p->pkt = (uint8_t *)(p + 1);
7204
8288
memset(&pq, 0, sizeof(pq));
7205
7206
p.src.family = AF_INET;
7207
p.src.addr_data32[0] = 0x0102080a;
7208
p.dst.addr_data32[0] = 0x04030201;
7209
p.dst.family = AF_INET;
7210
p.payload = buf;
7211
p.payload_len = buflen;
7212
p.proto = IPPROTO_TCP;
7213
p.dp = 34260;
7214
p.sp = 21;
7215
p.flowflags |= FLOW_PKT_TOSERVER;
7216
p.flags |= PKT_NOPACKET_INSPECTION;
8289
memset(&f, 0, sizeof(f));
8290
memset(&tcphdr, 0, sizeof(tcphdr));
8291
8292
p->src.family = AF_INET;
8293
p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
8294
p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
8295
p->dst.family = AF_INET;
8296
p->payload = buf;
8297
p->payload_len = buflen;
8298
p->proto = IPPROTO_TCP;
8299
p->dp = 34260;
8300
p->sp = 21;
8301
p->flowflags |= FLOW_PKT_TOSERVER;
8302
p->flags |= PKT_NOPACKET_INSPECTION;
8303
p->tcph = &tcphdr;
8304
p->flow = &f;
8305
8306
FLOW_INITIALIZE(&f);
7217
8307
7218
8308
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
7219
8309
if (de_ctx == NULL) {
7229
8319
}
7230
8320
7231
8321
SigGroupBuild(de_ctx);
7232
//PatternMatchPrepare(mpm_ctx, MPM_B2G);
7233
8322
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
7234
//DetectEngineIPOnlyThreadInit(de_ctx,&det_ctx->io_ctx);
7235
8323
det_ctx->de_ctx = de_ctx;
7236
8324
7237
Detect(&th_v, &p, det_ctx, &pq, NULL);
7238
if (PacketAlertCheck(&p, 2))
8325
Detect(&th_v, p, det_ctx, &pq, NULL);
8326
if (PacketAlertCheck(p, 2))
7239
8327
result = 0;
7240
8328
else
7241
8329
result = 1;
7246
8334
//PatternMatchDestroy(mpm_ctx);
7247
8335
DetectEngineCtxFree(de_ctx);
7248
8336
end:
8337
SCFree(p);
7249
8338
return result;
7250
8339
}
7251
8340
7259
8348
uint8_t *buf = (uint8_t *)
7260
8349
"220 (vsFTPd 2.0.5)\r\n";
7261
8350
uint16_t buflen = strlen((char *)buf);
7262
Packet p;
8351
Packet *p = SCMalloc(SIZE_OF_PACKET);
8352
if (p == NULL)
8353
return 0;
7263
8354
ThreadVars th_v;
7264
8355
DetectEngineThreadCtx *det_ctx;
7265
8356
int result = 1;
7266
8357
7267
8358
memset(&th_v, 0, sizeof(th_v));
7268
memset(&p, 0, sizeof(p));
7269
p.src.family = AF_INET;
7270
p.dst.family = AF_INET;
7271
p.payload = buf;
7272
p.payload_len = buflen;
7273
p.proto = IPPROTO_TCP;
7274
p.flags |= PKT_NOPAYLOAD_INSPECTION;
8359
memset(p, 0, SIZE_OF_PACKET);
8360
p->pkt = (uint8_t *)(p + 1);
8361
p->src.family = AF_INET;
8362
p->dst.family = AF_INET;
8363
p->payload = buf;
8364
p->payload_len = buflen;
8365
p->proto = IPPROTO_TCP;
8366
p->flags |= PKT_NOPAYLOAD_INSPECTION;
7275
8367
7276
8368
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
7277
8369
if (de_ctx == NULL) {
7287
8379
goto end;
7288
8380
}
7289
8381
7290
// sigmatch_table[DETECT_CONTENT].flags |= SIGMATCH_PAYLOAD;
7291
// de_ctx->sig_list->pmatch->type = DETECT_CONTENT;
7292
7293
8382
SigGroupBuild(de_ctx);
7294
//PatternMatchPrepare(mpm_ctx,MPM_B2G);
7295
8383
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
7296
8384
7297
if (!(de_ctx->sig_list->flags & SIG_FLAG_PAYLOAD))
8385
if (!(de_ctx->sig_list->init_flags & SIG_FLAG_PAYLOAD))
7298
8386
result = 0;
7299
8387
7300
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
8388
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
7301
8389
7302
if (PacketAlertCheck(&p, 1))
8390
if (PacketAlertCheck(p, 1))
7303
8391
result &= 0;
7304
8392
else
7305
8393
result &= 1;
7310
8398
SigGroupCleanup(de_ctx);
7311
8399
SigCleanSignatures(de_ctx);
7312
8400
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
7313
//PatternMatchDestroy(mpm_ctx);
7314
8401
DetectEngineCtxFree(de_ctx);
7315
8402
end:
8403
SCFree(p);
7316
8404
return result;
7317
8405
}
7318
8406
7325
8413
"Host: two.example.org\r\n"
7326
8414
"\r\n\r\n";
7327
8415
uint16_t buflen = strlen((char *)buf);
7328
Packet p;
8416
Packet *p = SCMalloc(SIZE_OF_PACKET);
8417
if (p == NULL)
8418
return 0;
7329
8419
ThreadVars th_v;
7330
8420
DetectEngineThreadCtx *det_ctx;
7331
8421
int result = 0;
7332
8422
7333
8423
memset(&th_v, 0, sizeof(th_v));
7334
memset(&p, 0, sizeof(p));
7335
p.src.family = AF_INET;
7336
p.dst.family = AF_INET;
7337
p.payload = buf;
7338
p.payload_len = buflen;
7339
p.proto = IPPROTO_TCP;
8424
memset(p, 0, SIZE_OF_PACKET);
8425
p->pkt = (uint8_t *)(p + 1);
8426
p->src.family = AF_INET;
8427
p->dst.family = AF_INET;
8428
p->payload = buf;
8429
p->payload_len = buflen;
8430
p->proto = IPPROTO_TCP;
7340
8431
7341
8432
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
7342
8433
if (de_ctx == NULL) {
7370
8461
7371
8462
result = 1;
7372
8463
end:
8464
SCFree(p);
7373
8465
return result;
7374
8466
}
7375
8467
7791
8883
static int SigTestSgh03 (void) {
7792
8884
ThreadVars th_v;
7793
8885
int result = 0;
7794
Packet p;
8886
Packet *p = SCMalloc(SIZE_OF_PACKET);
8887
if (p == NULL)
8888
return 0;
7795
8889
DetectEngineThreadCtx *det_ctx;
7796
8890
7797
8891
memset(&th_v, 0, sizeof(th_v));
7798
memset(&p, 0, sizeof(p));
7799
p.src.family = AF_INET;
7800
p.dst.family = AF_INET;
7801
p.payload_len = 1;
7802
p.proto = IPPROTO_TCP;
7803
p.dp = 80;
7804
p.dst.addr_data32[0] = 0x04030201;
8892
memset(p, 0, SIZE_OF_PACKET);
8893
p->pkt = (uint8_t *)(p + 1);
8894
p->src.family = AF_INET;
8895
p->dst.family = AF_INET;
8896
p->payload_len = 1;
8897
p->proto = IPPROTO_TCP;
8898
p->dp = 80;
8899
p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
7805
8900
7806
8901
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
7807
8902
if (de_ctx == NULL) {
7841
8936
SigGroupBuild(de_ctx);
7842
8937
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
7843
8938
7844
SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, &p);
8939
SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
7845
8940
if (sgh == NULL) {
7846
8941
printf("no sgh: ");
7847
8942
goto end;
7878
8973
goto end;
7879
8974
}
7880
8975
7881
p.dst.addr_data32[0] = 0x05030201;
8976
p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.5");
7882
8977
7883
sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, &p);
8978
sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
7884
8979
if (sgh == NULL) {
7885
8980
printf("no sgh: ");
7886
8981
goto end;
7912
9007
}
7913
9008
7914
9009
if (sgh->mpm_content_maxlen != 3) {
7915
printf("sgh->mpm_content_maxlen %u, expected 3 (%x): ", sgh->mpm_content_maxlen, p.dst.addr_data32[0]);
9010
printf("sgh->mpm_content_maxlen %u, expected 3 (%x): ", sgh->mpm_content_maxlen, p->dst.addr_data32[0]);
7916
9011
goto end;
7917
9012
}
7918
9013
7919
9014
7920
p.dst.addr_data32[0] = 0x06030201;
9015
p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.6");
7921
9016
7922
sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, &p);
9017
sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
7923
9018
if (sgh == NULL) {
7924
9019
printf("no sgh: ");
7925
9020
goto end;
7953
9048
7954
9049
result = 1;
7955
9050
end:
9051
SCFree(p);
7956
9052
return result;
7957
9053
}
7958
9054
7959
9055
static int SigTestSgh04 (void) {
7960
9056
ThreadVars th_v;
7961
9057
int result = 0;
7962
Packet p;
9058
Packet *p = SCMalloc(SIZE_OF_PACKET);
9059
if (p == NULL)
9060
return 0;
7963
9061
DetectEngineThreadCtx *det_ctx;
7964
9062
7965
9063
memset(&th_v, 0, sizeof(th_v));
7966
memset(&p, 0, sizeof(p));
7967
p.src.family = AF_INET;
7968
p.dst.family = AF_INET;
7969
p.payload_len = 1;
7970
p.proto = IPPROTO_TCP;
7971
p.dp = 80;
7972
p.dst.addr_data32[0] = 0x04030201;
9064
memset(p, 0, SIZE_OF_PACKET);
9065
p->pkt = (uint8_t *)(p + 1);
9066
p->src.family = AF_INET;
9067
p->dst.family = AF_INET;
9068
p->payload_len = 1;
9069
p->proto = IPPROTO_TCP;
9070
p->dp = 80;
9071
p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
7973
9072
7974
9073
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
7975
9074
if (de_ctx == NULL) {
8009
9108
SigGroupBuild(de_ctx);
8010
9109
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
8011
9110
8012
SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, &p);
9111
SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
8013
9112
if (sgh == NULL) {
8014
9113
printf("no sgh: ");
8015
9114
goto end;
8045
9144
printf("sgh->sig_size %u\n", sgh->sig_size);
8046
9145
printf("sgh->refcnt %u\n", sgh->refcnt);
8047
9146
#endif
8048
p.dst.addr_data32[0] = 0x05030201;
9147
p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.5");
8049
9148
8050
sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, &p);
9149
sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
8051
9150
if (sgh == NULL) {
8052
9151
printf("no sgh: ");
8053
9152
goto end;
8081
9180
printf("sgh->sig_size %u\n", sgh->sig_size);
8082
9181
printf("sgh->refcnt %u\n", sgh->refcnt);
8083
9182
#endif
8084
p.dst.addr_data32[0] = 0x06030201;
9183
p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.6");
8085
9184
8086
sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, &p);
9185
sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
8087
9186
if (sgh == NULL) {
8088
9187
printf("no sgh: ");
8089
9188
goto end;
8110
9209
printf("sgh->sig_size %u\n", sgh->sig_size);
8111
9210
printf("sgh->refcnt %u\n", sgh->refcnt);
8112
9211
#endif
8113
p.proto = IPPROTO_GRE;
9212
p->proto = IPPROTO_GRE;
8114
9213
8115
sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, &p);
9214
sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
8116
9215
if (sgh == NULL) {
8117
9216
printf("no sgh: ");
8118
9217
goto end;
8141
9240
8142
9241
result = 1;
8143
9242
end:
9243
SCFree(p);
8144
9244
return result;
8145
9245
}
8146
9246
8148
9248
static int SigTestSgh05 (void) {
8149
9249
ThreadVars th_v;
8150
9250
int result = 0;
8151
Packet p;
9251
Packet *p = SCMalloc(SIZE_OF_PACKET);
9252
if (p == NULL)
9253
return 0;
8152
9254
DetectEngineThreadCtx *det_ctx;
8153
9255
8154
9256
memset(&th_v, 0, sizeof(th_v));
8155
memset(&p, 0, sizeof(p));
8156
p.src.family = AF_INET;
8157
p.dst.family = AF_INET;
8158
p.payload_len = 1;
8159
p.proto = IPPROTO_TCP;
8160
p.dp = 80;
8161
p.dst.addr_data32[0] = 0x04030201;
9257
memset(p, 0, SIZE_OF_PACKET);
9258
p->pkt = (uint8_t *)(p + 1);
9259
p->src.family = AF_INET;
9260
p->dst.family = AF_INET;
9261
p->payload_len = 1;
9262
p->proto = IPPROTO_TCP;
9263
p->dp = 80;
9264
p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
8162
9265
8163
9266
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
8164
9267
if (de_ctx == NULL) {
8176
9279
SigGroupBuild(de_ctx);
8177
9280
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
8178
9281
8179
SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, &p);
9282
SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
8180
9283
if (sgh == NULL) {
8181
9284
printf("no sgh: ");
8182
9285
goto end;
8183
9286
}
8184
9287
8185
if (sgh->mpm_ctx == NULL) {
8186
printf("sgh->mpm_type == NULL: ");
8187
goto end;
8188
}
8189
8190
if (sgh->mpm_ctx->mpm_type != MPM_WUMANBER) {
9288
if (sgh->mpm_ctx != NULL) {
9289
printf("sgh->mpm_ctx != NULL: ");
9290
goto end;
9291
}
9292
9293
if (sgh->mpm_stream_ctx == NULL) {
9294
printf("sgh->mpm_stream_ctx == NULL: ");
9295
goto end;
9296
}
9297
9298
if (sgh->mpm_stream_ctx->mpm_type != MPM_WUMANBER) {
8191
9299
printf("sgh->mpm_type != MPM_WUMANBER, expected %d, got %d: ", MPM_WUMANBER, sgh->mpm_ctx->mpm_type);
8192
9300
goto end;
8193
9301
}
8198
9306
8199
9307
result = 1;
8200
9308
end:
9309
SCFree(p);
8201
9310
return result;
8202
9311
}
8203
9312
8567
9676
DecodeThreadVars dtv;
8568
9677
ThreadVars th_v;
8569
9678
int result = 0;
9679
Packet *p1 = NULL;
9680
Packet *p2 = NULL;
9681
Packet *p3 = NULL;
9682
Packet *p4 = NULL;
8570
9683
8571
9684
uint8_t rawpkt1[] = {
8572
9685
0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
8681
9794
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
8682
9795
8683
9796
/* packet 1 */
8684
Packet p1;
8685
memset(&p1, 0, sizeof(Packet));
8686
DecodeEthernet(&th_v, &dtv, &p1, rawpkt1, sizeof(rawpkt1), NULL);
8687
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1);
8688
if (!(PacketAlertCheck(&p1, 556))) {
9797
p1 = SCMalloc(SIZE_OF_PACKET);
9798
if (p1 == NULL)
9799
return 0;
9800
memset(p1, 0, SIZE_OF_PACKET);
9801
p1->pkt = (uint8_t *)(p1 + 1);
9802
DecodeEthernet(&th_v, &dtv, p1, rawpkt1, sizeof(rawpkt1), NULL);
9803
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
9804
if (!(PacketAlertCheck(p1, 556))) {
8689
9805
printf("failed to match on packet 1: ");
8690
9806
goto end;
8691
9807
}
8692
9808
8693
9809
/* packet 2 */
8694
Packet p2;
8695
memset(&p2, 0, sizeof(Packet));
8696
DecodeEthernet(&th_v, &dtv, &p2, rawpkt2, sizeof(rawpkt2), NULL);
8697
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2);
8698
if (!(PacketAlertCheck(&p2, 556))) {
9810
p2 = SCMalloc(SIZE_OF_PACKET);
9811
if (p2 == NULL)
9812
return 0;
9813
memset(p2, 0, SIZE_OF_PACKET);
9814
p2->pkt = (uint8_t *)(p2 + 1);
9815
DecodeEthernet(&th_v, &dtv, p2, rawpkt2, sizeof(rawpkt2), NULL);
9816
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
9817
if (!(PacketAlertCheck(p2, 556))) {
8699
9818
printf("failed to match on packet 2: ");
8700
9819
goto end;
8701
9820
}
8702
9821
8703
9822
/* packet 3 */
8704
Packet p3;
8705
memset(&p3, 0, sizeof(Packet));
8706
DecodeEthernet(&th_v, &dtv, &p3, rawpkt3, sizeof(rawpkt3), NULL);
8707
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p3);
8708
if (!(PacketAlertCheck(&p3, 556))) {
9823
p3 = SCMalloc(SIZE_OF_PACKET);
9824
if (p3 == NULL)
9825
return 0;
9826
memset(p3, 0, SIZE_OF_PACKET);
9827
p3->pkt = (uint8_t *)(p3 + 1);
9828
DecodeEthernet(&th_v, &dtv, p3, rawpkt3, sizeof(rawpkt3), NULL);
9829
SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
9830
if (!(PacketAlertCheck(p3, 556))) {
8709
9831
printf("failed to match on packet 3: ");
8710
9832
goto end;
8711
9833
}
8712
9834
8713
9835
/* packet 4 */
8714
Packet p4;
8715
memset(&p4, 0, sizeof(Packet));
8716
DecodeEthernet(&th_v, &dtv, &p4, rawpkt4, sizeof(rawpkt4), NULL);
8717
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p4);
8718
if (!(PacketAlertCheck(&p4, 556))) {
9836
p4 = SCMalloc(SIZE_OF_PACKET);
9837
if (p4 == NULL)
9838
return 0;
9839
memset(p4, 0, SIZE_OF_PACKET);
9840
p4->pkt = (uint8_t *)(p4 + 1);
9841
DecodeEthernet(&th_v, &dtv, p4, rawpkt4, sizeof(rawpkt4), NULL);
9842
SigMatchSignatures(&th_v, de_ctx, det_ctx, p4);
9843
if (!(PacketAlertCheck(p4, 556))) {
8719
9844
printf("failed to match on packet 4: ");
8720
9845
goto end;
8721
9846
}
8745
9870
DetectEngineCtxFree(de_ctx);
8746
9871
8747
9872
FlowShutdown();
9873
if (p1 != NULL)
9874
SCFree(p1);
9875
if (p2 != NULL)
9876
SCFree(p2);
9877
if (p3 != NULL)
9878
SCFree(p3);
9879
if (p4 != NULL)
9880
SCFree(p4);
8748
9881
return result;
8749
9882
}
8750
9883
8896
10029
p->flow = &f;
8897
10030
p->flowflags |= FLOW_PKT_TOSERVER;
8898
10031
p->flowflags |= FLOW_PKT_ESTABLISHED;
10032
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
8899
10033
f.alproto = ALPROTO_HTTP;
8900
10034
8901
10035
StreamTcpInitConfig(TRUE);
8993
10127
p->flow = &f;
8994
10128
p->flowflags |= FLOW_PKT_TOSERVER;
8995
10129
p->flowflags |= FLOW_PKT_ESTABLISHED;
10130
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
8996
10131
f.alproto = ALPROTO_HTTP;
8997
10132
8998
10133
StreamTcpInitConfig(TRUE);
9103
10238
p1->flow = &f;
9104
10239
p1->flowflags |= FLOW_PKT_TOSERVER;
9105
10240
p1->flowflags |= FLOW_PKT_ESTABLISHED;
10241
p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
9106
10242
9107
10243
p2->flow = &f;
9108
10244
p2->flowflags |= FLOW_PKT_TOSERVER;
9109
10245
p2->flowflags |= FLOW_PKT_ESTABLISHED;
10246
p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
9110
10247
f.alproto = ALPROTO_HTTP;
9111
10248
9112
10249
StreamTcpInitConfig(TRUE);
9266
10403
p1->flow = &f;
9267
10404
p1->flowflags |= FLOW_PKT_TOSERVER;
9268
10405
p1->flowflags |= FLOW_PKT_ESTABLISHED;
10406
p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
9269
10407
9270
10408
p2->flow = &f;
9271
10409
p2->flowflags |= FLOW_PKT_TOSERVER;
9272
10410
p2->flowflags |= FLOW_PKT_ESTABLISHED;
10411
p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
9273
10412
f.alproto = ALPROTO_HTTP;
9274
10413
9275
10414
StreamTcpInitConfig(TRUE);
9384
10523
return result;
9385
10524
}
9386
10525
10526
/// SCLogInfo("%s %u %u %u %u", #v, (v).dw[0], (v).dw[1], (v).dw[2], (v).dw[3]);
10527
#define VECTOR_SCLogInfo(v) { \
10528
SCLogInfo("%s %08X %08X %08X %08X", #v, (v).dw[0], (v).dw[1], (v).dw[2], (v).dw[3]); \
10529
}
10530
10531
/**
10532
* \test Test 32 bit SIMD code.
10533
*/
10534
int SigTestSIMDMask01(void) {
10535
#if defined (__SSE3__)
10536
Vector pm, sm, r1, r2;
10537
uint32_t bm = 0;
10538
10539
uint8_t *mask = SCMallocAligned(32, 16);
10540
memset(mask, 0xEF, 32);
10541
mask[31] = 0xFF;
10542
printf("\n");
10543
pm.v = _mm_set1_epi8(0xEF);
10544
VECTOR_SCLogInfo(pm);
10545
10546
/* load a batch of masks */
10547
sm.v = _mm_load_si128((const __m128i *)&mask[0]);
10548
VECTOR_SCLogInfo(sm);
10549
10550
/* logical AND them with the packet's mask */
10551
r1.v = _mm_and_si128(pm.v, sm.v);
10552
VECTOR_SCLogInfo(r1);
10553
/* compare the result with the original mask */
10554
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10555
VECTOR_SCLogInfo(r2);
10556
/* convert into a bitarray */
10557
bm = ((uint32_t) _mm_movemask_epi8(r2.v));
10558
10559
SCLogInfo("bm %08x", bm);
10560
10561
/* load a batch of masks */
10562
sm.v = _mm_load_si128((const __m128i *)&mask[16]);
10563
VECTOR_SCLogInfo(sm);
10564
/* logical AND them with the packet's mask */
10565
r1.v = _mm_and_si128(pm.v, sm.v);
10566
VECTOR_SCLogInfo(r1);
10567
/* compare the result with the original mask */
10568
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10569
VECTOR_SCLogInfo(r2);
10570
/* convert into a bitarray */
10571
bm |= ((uint32_t) _mm_movemask_epi8(r2.v)) << 16;
10572
10573
SCLogInfo("bm %08x", bm);
10574
10575
int b = 0;
10576
for ( ; b < 32; b++){
10577
if (bm & (1 << b)) {
10578
SCLogInfo("b %02d, set", b);
10579
} else {
10580
SCLogInfo("b %02d, not set", b);
10581
10582
}
10583
}
10584
10585
if (!(bm & (1 << 31))) {
10586
return 1;
10587
}
10588
return 0;
10589
#else
10590
return 1;
10591
#endif
10592
}
10593
10594
/**
10595
* \test Test 32 bit SIMD code.
10596
*/
10597
int SigTestSIMDMask02(void) {
10598
#if defined (__SSE3__)
10599
Vector pm, sm, r1, r2;
10600
uint32_t bm = 0;
10601
10602
uint8_t *mask = SCMallocAligned(32, 16);
10603
memset(mask, 0x01, 32);
10604
mask[31] = 0;
10605
pm.v = _mm_set1_epi8(0x02);
10606
VECTOR_SCLogInfo(pm);
10607
10608
/* load a batch of masks */
10609
sm.v = _mm_load_si128((const __m128i *)&mask[0]);
10610
VECTOR_SCLogInfo(sm);
10611
10612
/* logical AND them with the packet's mask */
10613
r1.v = _mm_and_si128(pm.v, sm.v);
10614
VECTOR_SCLogInfo(r1);
10615
/* compare the result with the original mask */
10616
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10617
VECTOR_SCLogInfo(r2);
10618
/* convert into a bitarray */
10619
bm = ((uint32_t) _mm_movemask_epi8(r2.v));
10620
10621
SCLogInfo("bm %08x", bm);
10622
10623
/* load a batch of masks */
10624
sm.v = _mm_load_si128((const __m128i *)&mask[16]);
10625
VECTOR_SCLogInfo(sm);
10626
/* logical AND them with the packet's mask */
10627
r1.v = _mm_and_si128(pm.v, sm.v);
10628
VECTOR_SCLogInfo(r1);
10629
/* compare the result with the original mask */
10630
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10631
VECTOR_SCLogInfo(r2);
10632
/* convert into a bitarray */
10633
bm |= ((uint32_t) _mm_movemask_epi8(r2.v)) << 16;
10634
10635
SCLogInfo("bm %08x", bm);
10636
10637
int b = 0;
10638
for ( ; b < 32; b++){
10639
if (bm & (1 << b)) {
10640
SCLogInfo("b %02d, set", b);
10641
} else {
10642
SCLogInfo("b %02d, not set", b);
10643
10644
}
10645
}
10646
10647
if (bm & (1 << 31)) {
10648
return 1;
10649
}
10650
return 0;
10651
#else
10652
return 1;
10653
#endif
10654
}
10655
10656
/**
10657
* \test Test 64 bit SIMD code.
10658
*/
10659
int SigTestSIMDMask03(void) {
10660
#if defined (__SSE3__)
10661
Vector pm, sm, r1, r2;
10662
uint64_t bm = 0;
10663
uint8_t *mask = SCMallocAligned(64, 16);
10664
memset(mask, 0xEF, 64);
10665
mask[31] = 0xFF;
10666
mask[62] = 0xFF;
10667
printf("\n");
10668
pm.v = _mm_set1_epi8(0xEF);
10669
VECTOR_SCLogInfo(pm);
10670
10671
/* load a batch of masks */
10672
sm.v = _mm_load_si128((const __m128i *)&mask[0]);
10673
VECTOR_SCLogInfo(sm);
10674
/* logical AND them with the packet's mask */
10675
r1.v = _mm_and_si128(pm.v, sm.v);
10676
VECTOR_SCLogInfo(r1);
10677
/* compare the result with the original mask */
10678
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10679
VECTOR_SCLogInfo(r2);
10680
/* convert into a bitarray */
10681
bm = ((uint64_t) _mm_movemask_epi8(r2.v));
10682
10683
SCLogInfo("bm1 %"PRIxMAX, (uintmax_t)bm);
10684
10685
/* load a batch of masks */
10686
sm.v = _mm_load_si128((const __m128i *)&mask[16]);
10687
VECTOR_SCLogInfo(sm);
10688
/* logical AND them with the packet's mask */
10689
r1.v = _mm_and_si128(pm.v, sm.v);
10690
VECTOR_SCLogInfo(r1);
10691
/* compare the result with the original mask */
10692
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10693
VECTOR_SCLogInfo(r2);
10694
/* convert into a bitarray */
10695
bm |= ((uint64_t) _mm_movemask_epi8(r2.v)) << 16;
10696
10697
SCLogInfo("bm2 %"PRIxMAX, (uintmax_t)bm);
10698
10699
/* load a batch of masks */
10700
sm.v = _mm_load_si128((const __m128i *)&mask[32]);
10701
VECTOR_SCLogInfo(sm);
10702
/* logical AND them with the packet's mask */
10703
r1.v = _mm_and_si128(pm.v, sm.v);
10704
VECTOR_SCLogInfo(r1);
10705
/* compare the result with the original mask */
10706
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10707
VECTOR_SCLogInfo(r2);
10708
/* convert into a bitarray */
10709
bm |= ((uint64_t) _mm_movemask_epi8(r2.v)) << 32;
10710
10711
SCLogInfo("bm3 %"PRIxMAX, (uintmax_t)bm);
10712
10713
/* load a batch of masks */
10714
sm.v = _mm_load_si128((const __m128i *)&mask[48]);
10715
VECTOR_SCLogInfo(sm);
10716
/* logical AND them with the packet's mask */
10717
r1.v = _mm_and_si128(pm.v, sm.v);
10718
VECTOR_SCLogInfo(r1);
10719
/* compare the result with the original mask */
10720
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10721
VECTOR_SCLogInfo(r2);
10722
/* convert into a bitarray */
10723
bm |= ((uint64_t) _mm_movemask_epi8(r2.v)) << 48;
10724
10725
SCLogInfo("bm4 %"PRIxMAX, (uintmax_t)bm);
10726
10727
int b = 0;
10728
for ( ; b < 64; b++){
10729
if (bm & ((uint64_t)1 << b)) {
10730
SCLogInfo("b %02d, set", b);
10731
} else {
10732
SCLogInfo("b %02d, not set", b);
10733
10734
}
10735
}
10736
10737
if (!(bm & ((uint64_t)1 << 31)) && !(bm & ((uint64_t)1 << 62))) {
10738
return 1;
10739
}
10740
return 0;
10741
#else
10742
return 1;
10743
#endif
10744
}
10745
10746
/**
10747
* \test Test 64 bit SIMD code.
10748
*/
10749
int SigTestSIMDMask04(void) {
10750
#if defined (__SSE3__)
10751
Vector pm, sm, r1, r2;
10752
uint64_t bm = 0;
10753
10754
uint8_t *mask = SCMallocAligned(64, 16);
10755
memset(mask, 0x01, 64);
10756
mask[31] = 0;
10757
mask[62] = 0;
10758
pm.v = _mm_set1_epi8(0x02);
10759
VECTOR_SCLogInfo(pm);
10760
10761
/* load a batch of masks */
10762
sm.v = _mm_load_si128((const __m128i *)&mask[0]);
10763
VECTOR_SCLogInfo(sm);
10764
/* logical AND them with the packet's mask */
10765
r1.v = _mm_and_si128(pm.v, sm.v);
10766
VECTOR_SCLogInfo(r1);
10767
/* compare the result with the original mask */
10768
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10769
VECTOR_SCLogInfo(r2);
10770
/* convert into a bitarray */
10771
bm = ((uint64_t) _mm_movemask_epi8(r2.v));
10772
10773
SCLogInfo("bm1 %"PRIxMAX, (uintmax_t)bm);
10774
10775
/* load a batch of masks */
10776
sm.v = _mm_load_si128((const __m128i *)&mask[16]);
10777
VECTOR_SCLogInfo(sm);
10778
/* logical AND them with the packet's mask */
10779
r1.v = _mm_and_si128(pm.v, sm.v);
10780
VECTOR_SCLogInfo(r1);
10781
/* compare the result with the original mask */
10782
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10783
VECTOR_SCLogInfo(r2);
10784
/* convert into a bitarray */
10785
bm |= ((uint64_t) _mm_movemask_epi8(r2.v)) << 16;
10786
10787
SCLogInfo("bm2 %"PRIxMAX, (uintmax_t)bm);
10788
10789
/* load a batch of masks */
10790
sm.v = _mm_load_si128((const __m128i *)&mask[32]);
10791
VECTOR_SCLogInfo(sm);
10792
/* logical AND them with the packet's mask */
10793
r1.v = _mm_and_si128(pm.v, sm.v);
10794
VECTOR_SCLogInfo(r1);
10795
/* compare the result with the original mask */
10796
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10797
VECTOR_SCLogInfo(r2);
10798
/* convert into a bitarray */
10799
bm |= ((uint64_t) _mm_movemask_epi8(r2.v)) << 32;
10800
10801
SCLogInfo("bm3 %"PRIxMAX, (uintmax_t)bm);
10802
10803
/* load a batch of masks */
10804
sm.v = _mm_load_si128((const __m128i *)&mask[48]);
10805
VECTOR_SCLogInfo(sm);
10806
/* logical AND them with the packet's mask */
10807
r1.v = _mm_and_si128(pm.v, sm.v);
10808
VECTOR_SCLogInfo(r1);
10809
/* compare the result with the original mask */
10810
r2.v = _mm_cmpeq_epi8(sm.v, r1.v);
10811
VECTOR_SCLogInfo(r2);
10812
/* convert into a bitarray */
10813
bm |= (((uint64_t) _mm_movemask_epi8(r2.v)) << 48);
10814
10815
SCLogInfo("bm4-total %"PRIxMAX, (uintmax_t)bm);
10816
10817
int b = 0;
10818
for ( ; b < 64; b++){
10819
if (bm & ((uint64_t)1 << b)) {
10820
SCLogInfo("b %02d, set", b);
10821
} else {
10822
SCLogInfo("b %02d, not set", b);
10823
10824
}
10825
}
10826
10827
if ((bm & ((uint64_t)1 << 31)) && (bm & ((uint64_t)1 << 62))) {
10828
return 1;
10829
}
10830
return 0;
10831
#else
10832
return 1;
10833
#endif
10834
}
10835
9387
10836
#endif /* UNITTESTS */
9388
10837
9389
10838
void SigRegisterTests(void) {
9591
11040
UtRegisterTest("SigTestDropFlow03", SigTestDropFlow03, 1);
9592
11041
UtRegisterTest("SigTestDropFlow04", SigTestDropFlow04, 1);
9593
11042
11043
UtRegisterTest("SigTestSIMDMask01", SigTestSIMDMask01, 1);
11044
UtRegisterTest("SigTestSIMDMask02", SigTestSIMDMask02, 1);
11045
UtRegisterTest("SigTestSIMDMask03", SigTestSIMDMask03, 1);
11046
UtRegisterTest("SigTestSIMDMask04", SigTestSIMDMask04, 1);
11047
9594
11048
#endif /* UNITTESTS */
9595
11049
}
9596
11050
Loggerhead is a web-based interface for Breezy
Version: 2.0.1