diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index c4f283dce4..715d752238 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -1060,8 +1060,6 @@ end: return result; } -#endif - /** * \test Checks if a fast_pattern is registered in a Signature */ @@ -3159,6 +3157,1120 @@ int DetectFastPatternTest92(void) return result; } +int DetectFastPatternTest93(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:!two; fast_pattern:3,4; http_uri; uricontent:three; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + ud->flags & DETECT_URICONTENT_NEGATED && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +/** + * \test Checks if a fast_pattern is registered in a Signature for uricontent. + */ +int DetectFastPatternTest94(void) +{ + SigMatch *sm = NULL; + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(content:\"/one/\"; fast_pattern:only; http_uri; " + "msg:\"Testing fast_pattern\"; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + result = 0; + sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; + while (sm != NULL) { + if (sm->type == DETECT_URICONTENT) { + if ( ((DetectUricontentData *)sm->ctx)->flags & + DETECT_URICONTENT_FAST_PATTERN) { + result = 1; + break; + } else { + result = 0; + break; + } + } + sm = sm->next; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +/** + * \test Checks if a fast_pattern is registered in a Signature for uricontent. + */ +int DetectFastPatternTest95(void) +{ + SigMatch *sm = NULL; + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(content:\"/one/\"; fast_pattern:3,4; http_uri; " + "msg:\"Testing fast_pattern\"; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + result = 0; + sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; + while (sm != NULL) { + if (sm->type == DETECT_URICONTENT) { + if ( ((DetectUricontentData *)sm->ctx)->flags & + DETECT_URICONTENT_FAST_PATTERN) { + result = 1; + break; + } else { + result = 0; + break; + } + } + sm = sm->next; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest96(void) +{ + SigMatch *sm = NULL; + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(content:one; fast_pattern:only; http_uri; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + result = 0; + sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; + DetectUricontentData *ud = sm->ctx; + if (sm != NULL && sm->type == DETECT_URICONTENT) { + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY && + !(ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP) && + ud->fp_chop_offset == 0 && + ud->fp_chop_len == 0) { + result = 1; + } else { + result = 0; + } + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest97(void) +{ + SigMatch *sm = NULL; + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(content:one; fast_pattern:3,4; http_uri; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + result = 0; + sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_UMATCH]; + DetectUricontentData *ud = sm->ctx; + if (sm != NULL && sm->type == DETECT_URICONTENT) { + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest98(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:two; fast_pattern:only; http_uri; distance:10; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest99(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:two; distance:10; fast_pattern:only; http_uri; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest100(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:two; fast_pattern:only; http_uri; within:10; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest101(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:two; within:10; fast_pattern:only; http_uri; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest102(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:two; fast_pattern:only; http_uri; offset:10; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest103(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:two; offset:10; fast_pattern:only; http_uri; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest104(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:two; fast_pattern:only; http_uri; depth:10; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest105(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:two; depth:10; fast_pattern:only; http_uri; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest106(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:!two; fast_pattern:only; http_uri; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest107(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent: one; uricontent:two; distance:30; content:two; fast_pattern:only; http_uri; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + DetectUricontentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY && + !(ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP) && + ud->fp_chop_offset == 0 && + ud->fp_chop_len == 0) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest108(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; within:30; content:two; fast_pattern:only; http_uri; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY && + !(ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP) && + ud->fp_chop_offset == 0 && + ud->fp_chop_len == 0) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest109(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; offset:30; content:two; fast_pattern:only; http_uri; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY && + !(ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP) && + ud->fp_chop_offset == 0 && + ud->fp_chop_len == 0) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest110(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; depth:30; content:two; fast_pattern:only; http_uri; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY && + !(ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP) && + ud->fp_chop_offset == 0 && + ud->fp_chop_len == 0) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest111(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(content:!one; fast_pattern; http_uri; uricontent:two; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + ud->flags & DETECT_URICONTENT_NEGATED && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + !(ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP) && + ud->fp_chop_offset == 0 && + ud->fp_chop_len == 0) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest112(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:two; content:!one; fast_pattern; http_uri; distance:20; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest113(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:two; content:!one; fast_pattern; http_uri; within:20; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest114(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:two; content:!one; fast_pattern; http_uri; offset:20; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest115(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:two; content:!one; fast_pattern; http_uri; depth:20; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest116(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:two; fast_pattern:3,4; http_uri; uricontent:three; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest117(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:two; fast_pattern:3,4; http_uri; uricontent:three; distance:30; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest118(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:two; fast_pattern:3,4; http_uri; uricontent:three; within:30; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest119(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:two; fast_pattern:3,4; http_uri; uricontent:three; offset:30; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest120(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:two; fast_pattern:3,4; http_uri; uricontent:three; depth:30; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest121(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; distance:10; content:three; fast_pattern:3,4; http_uri; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest122(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; within:10; content:three; fast_pattern:3,4; http_uri; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest123(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; offset:10; content:three; fast_pattern:3,4; http_uri; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest124(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; depth:10; content:three; fast_pattern:3,4; http_uri; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest125(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:two; fast_pattern:65977,4; http_uri; uricontent:three; distance:10; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest126(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:two; fast_pattern:3,65977; http_uri; uricontent:three; distance:10; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest127(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:two; fast_pattern:65534,4; http_uri; uricontent:three; distance:10; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest128(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:!two; fast_pattern:3,4; http_uri; uricontent:three; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + ud->flags & DETECT_URICONTENT_NEGATED && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest129(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:!two; fast_pattern:3,4; http_uri; distance:10; uricontent:three; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest130(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:!two; fast_pattern:3,4; http_uri; within:10; uricontent:three; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest131(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:!two; fast_pattern:3,4; http_uri; offset:10; uricontent:three; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest132(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:!two; fast_pattern:3,4; http_uri; depth:10; uricontent:three; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest133(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; content:!two; fast_pattern:3,4; http_uri; uricontent:three; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_UMATCH]->prev->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + ud->flags & DETECT_URICONTENT_NEGATED && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +#endif + void DetectFastPatternRegisterTests(void) { @@ -3257,6 +4369,49 @@ void DetectFastPatternRegisterTests(void) UtRegisterTest("DetectFastPatternTest90", DetectFastPatternTest90, 1); UtRegisterTest("DetectFastPatternTest91", DetectFastPatternTest91, 1); UtRegisterTest("DetectFastPatternTest92", DetectFastPatternTest92, 1); + /* uricontent fast_pattern tests ^ */ + /* http_uri fast_pattern tests v */ + UtRegisterTest("DetectFastPatternTest93", DetectFastPatternTest93, 1); + UtRegisterTest("DetectFastPatternTest94", DetectFastPatternTest94, 1); + UtRegisterTest("DetectFastPatternTest95", DetectFastPatternTest95, 1); + UtRegisterTest("DetectFastPatternTest96", DetectFastPatternTest96, 1); + UtRegisterTest("DetectFastPatternTest97", DetectFastPatternTest97, 1); + UtRegisterTest("DetectFastPatternTest98", DetectFastPatternTest98, 1); + UtRegisterTest("DetectFastPatternTest99", DetectFastPatternTest99, 1); + UtRegisterTest("DetectFastPatternTest100", DetectFastPatternTest100, 1); + UtRegisterTest("DetectFastPatternTest101", DetectFastPatternTest101, 1); + UtRegisterTest("DetectFastPatternTest102", DetectFastPatternTest102, 1); + UtRegisterTest("DetectFastPatternTest103", DetectFastPatternTest103, 1); + UtRegisterTest("DetectFastPatternTest104", DetectFastPatternTest104, 1); + UtRegisterTest("DetectFastPatternTest105", DetectFastPatternTest105, 1); + UtRegisterTest("DetectFastPatternTest106", DetectFastPatternTest106, 1); + UtRegisterTest("DetectFastPatternTest107", DetectFastPatternTest107, 1); + UtRegisterTest("DetectFastPatternTest108", DetectFastPatternTest108, 1); + UtRegisterTest("DetectFastPatternTest109", DetectFastPatternTest109, 1); + UtRegisterTest("DetectFastPatternTest110", DetectFastPatternTest110, 1); + UtRegisterTest("DetectFastPatternTest111", DetectFastPatternTest111, 1); + UtRegisterTest("DetectFastPatternTest112", DetectFastPatternTest112, 1); + UtRegisterTest("DetectFastPatternTest113", DetectFastPatternTest113, 1); + UtRegisterTest("DetectFastPatternTest114", DetectFastPatternTest114, 1); + UtRegisterTest("DetectFastPatternTest115", DetectFastPatternTest115, 1); + UtRegisterTest("DetectFastPatternTest116", DetectFastPatternTest116, 1); + UtRegisterTest("DetectFastPatternTest117", DetectFastPatternTest117, 1); + UtRegisterTest("DetectFastPatternTest118", DetectFastPatternTest118, 1); + UtRegisterTest("DetectFastPatternTest119", DetectFastPatternTest119, 1); + UtRegisterTest("DetectFastPatternTest120", DetectFastPatternTest120, 1); + UtRegisterTest("DetectFastPatternTest121", DetectFastPatternTest121, 1); + UtRegisterTest("DetectFastPatternTest122", DetectFastPatternTest122, 1); + UtRegisterTest("DetectFastPatternTest123", DetectFastPatternTest123, 1); + UtRegisterTest("DetectFastPatternTest124", DetectFastPatternTest124, 1); + UtRegisterTest("DetectFastPatternTest125", DetectFastPatternTest125, 1); + UtRegisterTest("DetectFastPatternTest126", DetectFastPatternTest126, 1); + UtRegisterTest("DetectFastPatternTest127", DetectFastPatternTest127, 1); + UtRegisterTest("DetectFastPatternTest128", DetectFastPatternTest128, 1); + UtRegisterTest("DetectFastPatternTest129", DetectFastPatternTest129, 1); + UtRegisterTest("DetectFastPatternTest130", DetectFastPatternTest130, 1); + UtRegisterTest("DetectFastPatternTest131", DetectFastPatternTest131, 1); + UtRegisterTest("DetectFastPatternTest132", DetectFastPatternTest132, 1); + UtRegisterTest("DetectFastPatternTest133", DetectFastPatternTest133, 1); #endif return; diff --git a/src/detect-http-uri.c b/src/detect-http-uri.c index e0d5354f6b..c6443e5ace 100644 --- a/src/detect-http-uri.c +++ b/src/detect-http-uri.c @@ -108,14 +108,6 @@ static int DetectHttpUriSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) return -1; } - if (((DetectContentData *)pm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) - { - SCLogWarning(SC_WARN_COMPATIBILITY, - "http_uri cannot be used with \"fast_pattern\" currently." - "Unsetting fast_pattern on this modifier. Signature ==> %s", s->sig_str); - ((DetectContentData *)pm->ctx)->flags &= ~DETECT_CONTENT_FAST_PATTERN; - } - /* http_uri should not be used with the rawbytes rule */ if (((DetectContentData *)pm->ctx)->flags & DETECT_CONTENT_RAWBYTES) { @@ -143,6 +135,15 @@ static int DetectHttpUriSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) DETECT_URICONTENT_NOCASE : 0; duc->flags |= (((DetectContentData *)pm->ctx)->flags & DETECT_CONTENT_NEGATED) ? DETECT_URICONTENT_NEGATED : 0; + duc->flags |= (((DetectContentData *)pm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN) ? + DETECT_URICONTENT_FAST_PATTERN : 0; + duc->flags |= (((DetectContentData *)pm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) ? + DETECT_URICONTENT_FAST_PATTERN_ONLY : 0; + if (((DetectContentData *)pm->ctx)->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) { + duc->flags |= DETECT_URICONTENT_FAST_PATTERN_CHOP; + duc->fp_chop_offset = ((DetectContentData *)pm->ctx)->fp_chop_offset; + duc->fp_chop_len = ((DetectContentData *)pm->ctx)->fp_chop_len; + } duc->id = DetectPatternGetId(de_ctx->mpm_pattern_id_store, duc, DETECT_URICONTENT); duc->bm_ctx = BoyerMooreCtxInit(duc->content, duc->content_len);