suricata/src/detect-distance.c

/* Copyright (C) 2007-2010 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
 *
 * Implements the distance keyword
 */

#include "suricata-common.h"

#include "decode.h"

#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "app-layer.h"

#include "detect-content.h"
#include "detect-uricontent.h"
#include "detect-pcre.h"
#include "detect-byte-extract.h"

#include "flow-var.h"

#include "util-debug.h"
#include "util-unittest.h"
#include "detect-bytejump.h"
#include "util-unittest-helper.h"

static int DetectDistanceSetup(DetectEngineCtx *, Signature *, char *);
void DetectDistanceRegisterTests(void);

void DetectDistanceRegister(void)
{
    sigmatch_table[DETECT_DISTANCE].name = "distance";
    sigmatch_table[DETECT_DISTANCE].desc = "indicates a relation between this content keyword and the content preceding it";
    sigmatch_table[DETECT_DISTANCE].url = DOC_URL DOC_VERSION "/rules/payload-keywords.html#distance";
    sigmatch_table[DETECT_DISTANCE].Match = NULL;
    sigmatch_table[DETECT_DISTANCE].Setup = DetectDistanceSetup;
    sigmatch_table[DETECT_DISTANCE].Free  = NULL;
    sigmatch_table[DETECT_DISTANCE].RegisterTests = DetectDistanceRegisterTests;

    sigmatch_table[DETECT_DISTANCE].flags |= SIGMATCH_PAYLOAD;
}

static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
        char *distancestr)
{
    char *str = distancestr;
    char dubbed = 0;
    SigMatch *pm = NULL;
    int ret = -1;

    /* Strip leading and trailing "s. */
    if (distancestr[0] == '\"') {
        str = SCStrdup(distancestr + 1);
        if (unlikely(str == NULL))
            goto end;
        if (strlen(str) && str[strlen(str) - 1] == '\"') {
            str[strlen(str) - 1] = '\0';
        }
        dubbed = 1;
    }

    /* retrive the sm to apply the depth against */
    if (s->list != DETECT_SM_LIST_NOTSET) {
        pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[s->list]);
    } else {
        pm =  SigMatchGetLastSMFromLists(s, 28,
                                         DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
                                         DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
                                         DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
                                         DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
                                         DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_FILEDATA],
                                         DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
                                         DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
                                         DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
                                         DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
                                         DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
                                         DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
                                         DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
                                         DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
                                         DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
    }
    if (pm == NULL) {
        SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "distance needs "
                   "preceding content, uricontent option, http_client_body, "
                   "http_server_body, http_header option, http_raw_header option, "
                   "http_method option, http_cookie, http_raw_uri, "
                   "http_stat_msg, http_stat_code, http_user_agent or "
                   "file_data/dce_stub_data sticky buffer option");
        goto end;
    }

    /* verify other conditions */
    DetectContentData *cd = (DetectContentData *)pm->ctx;
    if (cd->flags & DETECT_CONTENT_DISTANCE) {
        SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple distances for the same content.");
        goto end;
    }
    if ((cd->flags & DETECT_CONTENT_DEPTH) || (cd->flags & DETECT_CONTENT_OFFSET)) {
        SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a relative "
                   "keyword like within/distance with a absolute "
                   "relative keyword like depth/offset for the same "
                   "content." );
        goto end;
    }
    if (cd->flags & DETECT_CONTENT_NEGATED && cd->flags & DETECT_CONTENT_FAST_PATTERN) {
        SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
                   "negated keyword set along with a fast_pattern");
        goto end;
    }
    if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
        SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "
                   "keyword set along with a fast_pattern:only;");
        goto end;
    }
    if (str[0] != '-' && isalpha((unsigned char)str[0])) {
        SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s);
        if (bed_sm == NULL) {
            SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var "
                       "seen in distance - %s\n", str);
            goto end;
        }
        cd->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
        cd->flags |= DETECT_CONTENT_DISTANCE_BE;
    } else {
        cd->distance = strtol(str, NULL, 10);
    }
    cd->flags |= DETECT_CONTENT_DISTANCE;

    SigMatch *prev_pm = SigMatchGetLastSMFromLists(s, 4,
                                                   DETECT_CONTENT, pm->prev,
                                                   DETECT_PCRE, pm->prev);
    if (prev_pm == NULL) {
        ret = 0;
        goto end;
    }
    if (prev_pm->type == DETECT_CONTENT) {
        DetectContentData *prev_cd = (DetectContentData *)prev_pm->ctx;
        if (prev_cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
            SCLogError(SC_ERR_INVALID_SIGNATURE, "previous keyword "
                       "has a fast_pattern:only; set. Can't "
                       "have relative keywords around a fast_pattern "
                       "only content");
            goto end;
        }
        prev_cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
    } else if (prev_pm->type == DETECT_PCRE) {
        DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
        pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
    }

    ret = 0;
 end:
    if (dubbed)
        SCFree(str);
    return ret;
}

#ifdef UNITTESTS

static int DetectDistanceTest01(void)
{
    int result = 0;

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
    if (de_ctx == NULL) {
        printf("no de_ctx: ");
        goto end;
    }

    de_ctx->flags |= DE_QUIET;

    de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (content:\"|AA BB|\"; content:\"|CC DD EE FF 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE|\"; distance: 4; within: 19; sid:1; rev:1;)");
    if (de_ctx->sig_list == NULL) {
        printf("sig parse failed: ");
        goto end;
    }

    SigMatch *sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH];
    if (sm == NULL) {
        printf("sm NULL: ");
        goto end;
    }

    sm = sm->next;
    if (sm == NULL) {
        printf("sm2 NULL: ");
        goto end;
    }

    DetectContentData *co = (DetectContentData *)sm->ctx;
    if (co == NULL) {
        printf("co == NULL: ");
        goto end;
    }

    if (co->distance != 4) {
        printf("distance %"PRIi32", expected 4: ", co->distance);
        goto end;
    }

    /* within needs to be 23: distance + content_len as Snort auto fixes this */
    if (co->within != 19) {
        printf("within %"PRIi32", expected 23: ", co->within);
        goto end;
    }

    result = 1;
end:
    DetectEngineCtxFree(de_ctx);
    return result;
}

/**
 * \test DetectDistanceTestPacket01 is a test to check matches of
 * distance works, if the previous keyword is byte_jump and content
 * (bug 163)
 */
int DetectDistanceTestPacket01 (void)
{
    int result = 0;
    uint8_t buf[] = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00 };
    uint16_t buflen = sizeof(buf);
    Packet *p;
    p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);

    if (p == NULL)
        goto end;

    char sig[] = "alert tcp any any -> any any (msg:\"suricata test\"; "
                    "byte_jump:1,2; content:\"|00|\"; "
                    "within:1; distance:2; sid:98711212; rev:1;)";

    p->flowflags = FLOW_PKT_ESTABLISHED | FLOW_PKT_TOCLIENT;
    result = UTHPacketMatchSig(p, sig);

    UTHFreePacket(p);
end:
    return result;
}
#endif /* UNITTESTS */

void DetectDistanceRegisterTests(void)
{
#ifdef UNITTESTS
    UtRegisterTest("DetectDistanceTest01 -- distance / within mix",
                   DetectDistanceTest01);
    UtRegisterTest("DetectDistanceTestPacket01", DetectDistanceTestPacket01);
#endif /* UNITTESTS */
}
Import of GPLv2 Header 050410 16 years ago			`/* Copyright (C) 2007-2010 Open Information Security Foundation`
			`*`
			`* You can copy, redistribute or modify this Program under the terms of`
			`* the GNU General Public License version 2 as published by the Free`
			`* Software Foundation.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* version 2 along with this program; if not, write to the Free Software`
			`* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA`
			`* 02110-1301, USA.`
			`*/`

			`/**`
			`* \file`
			`*`
			`* \author Victor Julien <victor@inliniac.net>`
Changed my email address to anoopsaldanha at gmail dot com from my current one 15 years ago			`* \author Anoop Saldanha <anoopsaldanha@gmail.com>`
Import of GPLv2 Header 050410 16 years ago			`*`
			`* Implements the distance keyword`
			`*/`
Initial add of the files. 18 years ago
Rename to Suricata. 17 years ago			`#include "suricata-common.h"`
Cleanups. 16 years ago
Initial add of the files. 18 years ago			`#include "decode.h"`
Cleanups. 16 years ago
Initial add of the files. 18 years ago			`#include "detect.h"`
Adding Uricontent inspection with spm. Modifiers for uricontent are now supported 16 years ago			`#include "detect-parse.h"`
Fix a within calculation bug for cases where distance + pattern length > within setting. Fixes #148. 16 years ago			`#include "detect-engine.h"`
dce stub content keywords support using dcepayload.c support for all dce related content keywords 16 years ago			`#include "app-layer.h"`
Fix a within calculation bug for cases where distance + pattern length > within setting. Fixes #148. 16 years ago
Initial add of the files. 18 years ago			`#include "detect-content.h"`
			`#include "detect-uricontent.h"`
fix signature parsing to how snort does it for content based keywords along with dce_stub_data 16 years ago			`#include "detect-pcre.h"`
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines 15 years ago			`#include "detect-byte-extract.h"`
Cleanups. 16 years ago
			`#include "flow-var.h"`

Improve distance/within/nocase handling, sig parsing error reporting. 17 years ago			`#include "util-debug.h"`
Fix a within calculation bug for cases where distance + pattern length > within setting. Fixes #148. 16 years ago			`#include "util-unittest.h"`
added the support for setting up distance sig when previous keyword is byte_jump (bug 163) 16 years ago			`#include "detect-bytejump.h"`
			`#include "util-unittest-helper.h"`
Initial add of the files. 18 years ago
Detection keyword cleanup 17 years ago			`static int DetectDistanceSetup(DetectEngineCtx , Signature , char *);`
Fix a within calculation bug for cases where distance + pattern length > within setting. Fixes #148. 16 years ago			`void DetectDistanceRegisterTests(void);`
Initial add of the files. 18 years ago
code cleanup for all content based keywords. 14 years ago			`void DetectDistanceRegister(void)`
			`{`
Initial add of the files. 18 years ago			`sigmatch_table[DETECT_DISTANCE].name = "distance";`
Add documentation url in list-keyword output. The output of the list-keyword is modified to include the url to the keyword documentation when this is available. All documented keywords should have their link set. list-keyword can be used with an optional value: no option or short: display list of keywords csv: display a csv output on info an all keywords all: display a human readable output of keywords info $KWD: display the info about one keyword. 14 years ago			`sigmatch_table[DETECT_DISTANCE].desc = "indicates a relation between this content keyword and the content preceding it";`
documentation: fix list keywords URLs Update URLs in keyword definition to point to sphinx documentation. 10 years ago			`sigmatch_table[DETECT_DISTANCE].url = DOC_URL DOC_VERSION "/rules/payload-keywords.html#distance";`
Initial add of the files. 18 years ago			`sigmatch_table[DETECT_DISTANCE].Match = NULL;`
			`sigmatch_table[DETECT_DISTANCE].Setup = DetectDistanceSetup;`
			`sigmatch_table[DETECT_DISTANCE].Free = NULL;`
Fix a within calculation bug for cases where distance + pattern length > within setting. Fixes #148. 16 years ago			`sigmatch_table[DETECT_DISTANCE].RegisterTests = DetectDistanceRegisterTests;`
added sigmatch payload flag 17 years ago
			`sigmatch_table[DETECT_DISTANCE].flags \|= SIGMATCH_PAYLOAD;`
Initial add of the files. 18 years ago			`}`

Fix some error messages and coding style at uri/content modifiers 16 years ago			`static int DetectDistanceSetup (DetectEngineCtx de_ctx, Signature s,`
			`char *distancestr)`
Initial add of the files. 18 years ago			`{`
			`char *str = distancestr;`
			`char dubbed = 0;`
dce stub content keywords support using dcepayload.c support for all dce related content keywords 16 years ago			`SigMatch *pm = NULL;`
code cleanup for all content based keywords. 14 years ago			`int ret = -1;`
Initial add of the files. 18 years ago
rule-parsing: quick fix for rules with wrong double quotes The stripping of leading and trailing "s has issues with rules like the ones described in issue 1638 thus resulted in crashing the rule parser. So for now this is a quick fix which approaches this issue directly by stripping those "s correctly and handling error cases. It also adds the skip for leading spaces at the msg keyword and worksaround a possible null pointer dereference (that should never occur though). A more general approach should be done in the future. 10 years ago			`/* Strip leading and trailing "s. */`
			`if (distancestr[0] == '\"') {`
support fast pattern for http raw header. Also support relative modifiers for http raw header 16 years ago			`str = SCStrdup(distancestr + 1);`
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc\|SCStrdup\|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1 14 years ago			`if (unlikely(str == NULL))`
code cleanup for all content based keywords. 14 years ago			`goto end;`
rule-parsing: quick fix for rules with wrong double quotes The stripping of leading and trailing "s has issues with rules like the ones described in issue 1638 thus resulted in crashing the rule parser. So for now this is a quick fix which approaches this issue directly by stripping those "s correctly and handling error cases. It also adds the skip for leading spaces at the msg keyword and worksaround a possible null pointer dereference (that should never occur though). A more general approach should be done in the future. 10 years ago			`if (strlen(str) && str[strlen(str) - 1] == '\"') {`
			`str[strlen(str) - 1] = '\0';`
			`}`
Initial add of the files. 18 years ago			`dubbed = 1;`
			`}`

code cleanup for all content based keywords. 14 years ago			`/* retrive the sm to apply the depth against */`
Content: set up sticky buffers like file_data and dce_stub_data w/o flags, but with a list variable 13 years ago			`if (s->list != DETECT_SM_LIST_NOTSET) {`
			`pm = SigMatchGetLastSMFromLists(s, 2, DETECT_CONTENT, s->sm_lists_tail[s->list]);`
code cleanup for all content based keywords. 14 years ago			`} else {`
			`pm = SigMatchGetLastSMFromLists(s, 28,`
			`DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],`
			`DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],`
			`DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],`
			`DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],`
find and replace HSBDMATCH by FILEDATA This commit do a find and replace of the following: - DETECT_SM_LIST_HSBDMATCH by DETECT_SM_LIST_FILEDATA sed -i 's/DETECT_SM_LIST_HSBDMATCH/DETECT_SM_LIST_FILEDATA/g' src/* - HSBD by FILEDATA: sed -i 's/HSBDMATCH/FILEDATA/g' src/* 12 years ago			`DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_FILEDATA],`
code cleanup for all content based keywords. 14 years ago			`DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],`
			`DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],`
			`DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],`
			`DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],`
			`DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],`
			`DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],`
			`DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],`
			`DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],`
			`DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);`
			`}`
turn dce_stub_data into a sticky buffer. 14 years ago			`if (pm == NULL) {`
code cleanup for all content based keywords. 14 years ago			`SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "distance needs "`
turn dce_stub_data into a sticky buffer. 14 years ago			`"preceding content, uricontent option, http_client_body, "`
code cleanup for all content based keywords. 14 years ago			`"http_server_body, http_header option, http_raw_header option, "`
			`"http_method option, http_cookie, http_raw_uri, "`
			`"http_stat_msg, http_stat_code, http_user_agent or "`
			`"file_data/dce_stub_data sticky buffer option");`
			`goto end;`
Improve distance/within/nocase handling, sig parsing error reporting. 17 years ago			`}`
Initial add of the files. 18 years ago
code cleanup for all content based keywords. 14 years ago			`/* verify other conditions */`
			`DetectContentData cd = (DetectContentData )pm->ctx;`
			`if (cd->flags & DETECT_CONTENT_DISTANCE) {`
			`SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple distances for the same content.");`
			`goto end;`
			`}`
			`if ((cd->flags & DETECT_CONTENT_DEPTH) \|\| (cd->flags & DETECT_CONTENT_OFFSET)) {`
			`SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a relative "`
			`"keyword like within/distance with a absolute "`
			`"relative keyword like depth/offset for the same "`
			`"content." );`
			`goto end;`
			`}`
			`if (cd->flags & DETECT_CONTENT_NEGATED && cd->flags & DETECT_CONTENT_FAST_PATTERN) {`
			`SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "`
			`"negated keyword set along with a fast_pattern");`
			`goto end;`
Initial add of the files. 18 years ago			`}`
code cleanup for all content based keywords. 14 years ago			`if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {`
			`SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have a relative "`
			`"keyword set along with a fast_pattern:only;");`
			`goto end;`
			`}`
			`if (str[0] != '-' && isalpha((unsigned char)str[0])) {`
Bug 1230: Check all SigMatch lists for a named byte_extract variable. 12 years ago			`SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(str, s);`
code cleanup for all content based keywords. 14 years ago			`if (bed_sm == NULL) {`
			`SCLogError(SC_ERR_INVALID_SIGNATURE, "unknown byte_extract var "`
			`"seen in distance - %s\n", str);`
			`goto end;`
			`}`
			`cd->distance = ((DetectByteExtractData *)bed_sm->ctx)->local_id;`
			`cd->flags \|= DETECT_CONTENT_DISTANCE_BE;`
			`} else {`
			`cd->distance = strtol(str, NULL, 10);`
			`}`
			`cd->flags \|= DETECT_CONTENT_DISTANCE;`
Initial add of the files. 18 years ago
code cleanup for all content based keywords. 14 years ago			`SigMatch *prev_pm = SigMatchGetLastSMFromLists(s, 4,`
			`DETECT_CONTENT, pm->prev,`
			`DETECT_PCRE, pm->prev);`
			`if (prev_pm == NULL) {`
			`ret = 0;`
			`goto end;`
			`}`
			`if (prev_pm->type == DETECT_CONTENT) {`
distance: fix -Wshadow warning 10 years ago			`DetectContentData prev_cd = (DetectContentData )prev_pm->ctx;`
			`if (prev_cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {`
code cleanup for all content based keywords. 14 years ago			`SCLogError(SC_ERR_INVALID_SIGNATURE, "previous keyword "`
			`"has a fast_pattern:only; set. Can't "`
			`"have relative keywords around a fast_pattern "`
			`"only content");`
			`goto end;`
			`}`
distance: fix -Wshadow warning 10 years ago			`prev_cd->flags \|= DETECT_CONTENT_RELATIVE_NEXT;`
code cleanup for all content based keywords. 14 years ago			`} else if (prev_pm->type == DETECT_PCRE) {`
			`DetectPcreData pd = (DetectPcreData )prev_pm->ctx;`
			`pd->flags \|= DETECT_PCRE_RELATIVE_NEXT;`
			`}`
mpm and fast pattern support for http_header. Also support relative modifiers for http_header 16 years ago
code cleanup for all content based keywords. 14 years ago			`ret = 0;`
			`end:`
mpm and fast pattern support for http_header. Also support relative modifiers for http_header 16 years ago			`if (dubbed)`
			`SCFree(str);`
code cleanup for all content based keywords. 14 years ago			`return ret;`
Initial add of the files. 18 years ago			`}`

Fix a within calculation bug for cases where distance + pattern length > within setting. Fixes #148. 16 years ago			`#ifdef UNITTESTS`

			`static int DetectDistanceTest01(void)`
			`{`
			`int result = 0;`

			`DetectEngineCtx *de_ctx = DetectEngineCtxInit();`
			`if (de_ctx == NULL) {`
			`printf("no de_ctx: ");`
			`goto end;`
			`}`

			`de_ctx->flags \|= DE_QUIET;`

			`de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (content:\"\|AA BB\|\"; content:\"\|CC DD EE FF 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE\|\"; distance: 4; within: 19; sid:1; rev:1;)");`
			`if (de_ctx->sig_list == NULL) {`
			`printf("sig parse failed: ");`
			`goto end;`
			`}`

replace all Signature->pmatch instances in the engine with Signature->sm_lists[DETECT_SM_LIST_PMATCH] 16 years ago			`SigMatch *sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH];`
Fix a within calculation bug for cases where distance + pattern length > within setting. Fixes #148. 16 years ago			`if (sm == NULL) {`
			`printf("sm NULL: ");`
			`goto end;`
			`}`

			`sm = sm->next;`
			`if (sm == NULL) {`
			`printf("sm2 NULL: ");`
			`goto end;`
			`}`

			`DetectContentData co = (DetectContentData )sm->ctx;`
			`if (co == NULL) {`
			`printf("co == NULL: ");`
clang fixes for null derefrences 16 years ago			`goto end;`
Fix a within calculation bug for cases where distance + pattern length > within setting. Fixes #148. 16 years ago			`}`

			`if (co->distance != 4) {`
			`printf("distance %"PRIi32", expected 4: ", co->distance);`
			`goto end;`
			`}`

			`/* within needs to be 23: distance + content_len as Snort auto fixes this */`
bug #411 - fix failing unittest 15 years ago			`if (co->within != 19) {`
Fix a within calculation bug for cases where distance + pattern length > within setting. Fixes #148. 16 years ago			`printf("within %"PRIi32", expected 23: ", co->within);`
			`goto end;`
			`}`

			`result = 1;`
			`end:`
			`DetectEngineCtxFree(de_ctx);`
			`return result;`
			`}`

added the support for setting up distance sig when previous keyword is byte_jump (bug 163) 16 years ago			`/**`
			`* \test DetectDistanceTestPacket01 is a test to check matches of`
			`* distance works, if the previous keyword is byte_jump and content`
			`* (bug 163)`
			`*/`
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard. 12 years ago			`int DetectDistanceTestPacket01 (void)`
			`{`
added the support for setting up distance sig when previous keyword is byte_jump (bug 163) 16 years ago			`int result = 0;`
			`uint8_t buf[] = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00 };`
			`uint16_t buflen = sizeof(buf);`
			`Packet *p;`
			`p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);`

			`if (p == NULL)`
			`goto end;`

Prefilter signatures before fully scanning them. 16 years ago			`char sig[] = "alert tcp any any -> any any (msg:\"suricata test\"; "`
			`"byte_jump:1,2; content:\"\|00\|\"; "`
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong. 15 years ago			`"within:1; distance:2; sid:98711212; rev:1;)";`
added the support for setting up distance sig when previous keyword is byte_jump (bug 163) 16 years ago
			`p->flowflags = FLOW_PKT_ESTABLISHED \| FLOW_PKT_TOCLIENT;`
			`result = UTHPacketMatchSig(p, sig);`

			`UTHFreePacket(p);`
			`end:`
			`return result;`
			`}`
Fix a within calculation bug for cases where distance + pattern length > within setting. Fixes #148. 16 years ago			`#endif /* UNITTESTS */`

Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard. 12 years ago			`void DetectDistanceRegisterTests(void)`
			`{`
Fix a within calculation bug for cases where distance + pattern length > within setting. Fixes #148. 16 years ago			`#ifdef UNITTESTS`
tests: no longer necessary to provide successful return code 1 pass, 0 is fail. 10 years ago			`UtRegisterTest("DetectDistanceTest01 -- distance / within mix",`
			`DetectDistanceTest01);`
			`UtRegisterTest("DetectDistanceTestPacket01", DetectDistanceTestPacket01);`
Fix a within calculation bug for cases where distance + pattern length > within setting. Fixes #148. 16 years ago			`#endif /* UNITTESTS */`
			`}`