From 4b77f132df499de9f7c81def0fb0a0affff3c8f9 Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Wed, 10 Nov 2010 18:10:52 +0530 Subject: [PATCH] add support for sigs with uricontent fast_pattern --- src/detect-depth.c | 29 +- src/detect-distance.c | 23 + src/detect-fast-pattern.c | 1219 +++++++++++++++++++++++++++++++++++-- src/detect-offset.c | 30 +- src/detect-uricontent.h | 32 +- src/detect-within.c | 23 + 6 files changed, 1299 insertions(+), 57 deletions(-) diff --git a/src/detect-depth.c b/src/detect-depth.c index 573925c626..2025426f4a 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -19,6 +19,7 @@ * \file * * \author Victor Julien + * \author Anoop Saldanha * * Implements the depth keyword */ @@ -56,6 +57,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths char dubbed = 0; SigMatch *pm = NULL; DetectContentData *cd = NULL; + DetectUricontentData *ud = NULL; /* strip "'s */ if (depthstr[0] == '\"' && depthstr[strlen(depthstr)-1] == '\"') { @@ -97,13 +99,28 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths switch (pm->type) { case DETECT_URICONTENT: - { - DetectUricontentData *ud = (DetectUricontentData *)pm->ctx; + ud = (DetectUricontentData *)pm->ctx; if (ud == NULL) { SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument"); - if (dubbed) SCFree(str); + if (dubbed) + SCFree(str); return -1; } + + if (ud->flags & DETECT_URICONTENT_NEGATED) { + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " + "negated keyword set along with a fast_pattern"); + goto error; + } + } else { + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " + "keyword set along with a fast_pattern:only;"); + goto error; + } + } + ud->depth = (uint32_t)atoi(str); if (ud->depth < ud->uricontent_len) { ud->depth = ud->uricontent_len; @@ -112,11 +129,11 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths } /* Now update the real limit, as depth is relative to the offset */ ud->depth += ud->offset; - } - break; + ud->flags |= DETECT_URICONTENT_DEPTH; - case DETECT_CONTENT: + break; + case DETECT_CONTENT: cd = (DetectContentData *)pm->ctx; if (cd == NULL) { SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument"); diff --git a/src/detect-distance.c b/src/detect-distance.c index 8c40d99e5c..dc2bca83cd 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -19,6 +19,7 @@ * \file * * \author Victor Julien + * \author Anoop Saldanha * * Implements the distance keyword */ @@ -184,6 +185,20 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, goto error; } + if (ud->flags & DETECT_URICONTENT_NEGATED) { + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " + "negated keyword set along with a fast_pattern"); + goto error; + } + } else { + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " + "keyword set along with a fast_pattern:only;"); + goto error; + } + } + ud->distance = strtol(str, NULL, 10); if (ud->flags & DETECT_URICONTENT_WITHIN) { if ((ud->distance + ud->uricontent_len) > ud->within) { @@ -214,6 +229,14 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, } ud->flags |= DETECT_URICONTENT_RELATIVE_NEXT; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword " + "has a fast_pattern:only; set. You can't " + "have relative keywords around a fast_pattern " + "only content"); + goto error; + } + break; case DETECT_PCRE: diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index ea6bac2fca..4eac8b19c6 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -104,59 +104,104 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a int ret = 0, res = 0; int ov[MAX_SUBSTRINGS]; const char *arg_substr = NULL; + DetectContentData *cd = NULL; + DetectUricontentData *ud = NULL; - if (s->pmatch_tail == NULL) { + if (s->pmatch_tail == NULL && s->umatch_tail == NULL) { SCLogWarning(SC_WARN_COMPATIBILITY, "fast_pattern found inside the " - "rule, without a preceding keyword that supports (currently) " - "this optimization. At least, the engine support " - "fast_pattern for content (not for uricontent yet). " - "The signature is being loaded anyway ==> %s", - s->sig_str); - return 0; + "rule, without a preceding content based keyword. " + "Currently we provide fast_pattern support for content " + "and uricontent"); + return -1; } - SigMatch *pm = DetectContentGetLastPattern(s->pmatch_tail); + SigMatch *pm = SigMatchGetLastSMFromLists(s, 4, + DETECT_CONTENT, s->pmatch_tail, + DETECT_URICONTENT, s->umatch_tail); if (pm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern found inside " "the rule, without a content context. Please use a " - "content keyword before using fast_pattern"); + "content based keyword before using fast_pattern"); return -1; } + if (pm->type == DETECT_CONTENT) { + cd = pm->ctx; + } else if (pm->type == DETECT_URICONTENT) { + ud = pm->ctx; + } + if (arg == NULL|| strcmp(arg, "") == 0) { - ((DetectContentData *)pm->ctx)->flags |= DETECT_CONTENT_FAST_PATTERN; + if (pm->type == DETECT_CONTENT) { + cd->flags |= DETECT_CONTENT_FAST_PATTERN; + } else if (pm->type == DETECT_URICONTENT) { + ud->flags |= DETECT_URICONTENT_FAST_PATTERN; + } return 0; } - DetectContentData *cd = pm->ctx; - if (cd->flags & DETECT_CONTENT_NEGATED && - (cd->flags & DETECT_CONTENT_DISTANCE || - cd->flags & DETECT_CONTENT_WITHIN || - cd->flags & DETECT_CONTENT_OFFSET || - cd->flags & DETECT_CONTENT_DEPTH)) { - /* we can't have any of these if we are having "only" */ - SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern; cannot be " - "used with negated content, along with relative modifiers."); - goto error; - } + if (pm->type == DETECT_CONTENT) { + if (cd->flags & DETECT_CONTENT_NEGATED && + (cd->flags & DETECT_CONTENT_DISTANCE || + cd->flags & DETECT_CONTENT_WITHIN || + cd->flags & DETECT_CONTENT_OFFSET || + cd->flags & DETECT_CONTENT_DEPTH)) { + + /* we can't have any of these if we are having "only" */ + SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern; cannot be " + "used with negated content, along with relative modifiers."); + goto error; + } + } else if (pm->type == DETECT_URICONTENT) { + if (ud->flags & DETECT_URICONTENT_NEGATED && + (ud->flags & DETECT_URICONTENT_DISTANCE || + ud->flags & DETECT_URICONTENT_WITHIN || + ud->flags & DETECT_URICONTENT_OFFSET || + ud->flags & DETECT_URICONTENT_DEPTH)) { + /* we can't have any of these if we are having "only" */ + SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern; cannot be " + "used with negated uricontent, along with relative modifiers."); + goto error; + } + } else { + printf("we will never hit else"); + } /* Execute the regex and populate args with captures. */ ret = pcre_exec(parse_regex, parse_regex_study, arg, strlen(arg), 0, 0, ov, MAX_SUBSTRINGS); if (ret == 2) { - if (cd->flags & DETECT_CONTENT_NEGATED || - cd->flags & DETECT_CONTENT_DISTANCE || - cd->flags & DETECT_CONTENT_WITHIN || - cd->flags & DETECT_CONTENT_OFFSET || - cd->flags & DETECT_CONTENT_DEPTH) { - /* we can't have any of these if we are having "only" */ - SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern: only; cannot be " - "used with negated content"); - goto error; + if (pm->type == DETECT_CONTENT) { + if (cd->flags & DETECT_CONTENT_NEGATED || + cd->flags & DETECT_CONTENT_DISTANCE || + cd->flags & DETECT_CONTENT_WITHIN || + cd->flags & DETECT_CONTENT_OFFSET || + cd->flags & DETECT_CONTENT_DEPTH) { + + /* we can't have any of these if we are having "only" */ + SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern: only; cannot be " + "used with negated content or with any of the relative " + "modifiers like distance, within, offset, depth"); + goto error; + } + cd->flags |= DETECT_CONTENT_FAST_PATTERN_ONLY; + } else if (pm->type == DETECT_URICONTENT) { + if (ud->flags & DETECT_URICONTENT_NEGATED || + ud->flags & DETECT_URICONTENT_DISTANCE || + ud->flags & DETECT_URICONTENT_WITHIN || + ud->flags & DETECT_URICONTENT_OFFSET || + ud->flags & DETECT_URICONTENT_DEPTH) { + + /* we can't have any of these if we are having "only" */ + SCLogError(SC_ERR_INVALID_SIGNATURE, "fast_pattern: only; cannot be " + "used with negated uricontent"); + goto error; + } + ud->flags |= DETECT_URICONTENT_FAST_PATTERN_ONLY; + } else { + printf("we will never hit else"); } - - cd->flags |= DETECT_CONTENT_FAST_PATTERN_ONLY; } else if (ret == 4) { res = pcre_get_substring((char *)arg, ov, MAX_SUBSTRINGS, 2, &arg_substr); @@ -192,10 +237,15 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a goto error; } - cd->fp_chop_offset = offset; - cd->fp_chop_len = length; - - cd->flags |= DETECT_CONTENT_FAST_PATTERN_CHOP; + if (pm->type == DETECT_CONTENT) { + cd->fp_chop_offset = offset; + cd->fp_chop_len = length; + cd->flags |= DETECT_CONTENT_FAST_PATTERN_CHOP; + } else if (pm->type == DETECT_URICONTENT) { + ud->fp_chop_offset = offset; + ud->fp_chop_len = length; + ud->flags |= DETECT_URICONTENT_FAST_PATTERN_CHOP; + } } else { SCLogError(SC_ERR_PCRE_PARSE, "parse error, ret %" PRId32 ", string %s", ret, arg); @@ -216,7 +266,11 @@ static int DetectFastPatternSetup(DetectEngineCtx *de_ctx, Signature *s, char *a // printf("%d-%s\n", args, arg_substr); //} - ((DetectContentData *)pm->ctx)->flags |= DETECT_CONTENT_FAST_PATTERN; + if (pm->type == DETECT_CONTENT) { + cd->flags |= DETECT_CONTENT_FAST_PATTERN; + } else if (pm->type == DETECT_URICONTENT) { + ud->flags |= DETECT_URICONTENT_FAST_PATTERN; + } return 0; @@ -1972,6 +2026,1056 @@ int DetectFastPatternTest53(void) return result; } +/** + * \test Checks if a fast_pattern is registered in a Signature for uricontent. + */ +int DetectFastPatternTest54(void) +{ + SigMatch *sm = NULL; + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:\"/one/\"; fast_pattern:only; " + "msg:\"Testing fast_pattern\"; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + result = 0; + sm = de_ctx->sig_list->umatch; + while (sm != NULL) { + if (sm->type == DETECT_URICONTENT) { + if ( ((DetectUricontentData *)sm->ctx)->flags & + DETECT_URICONTENT_FAST_PATTERN) { + result = 1; + break; + } else { + result = 0; + break; + } + } + sm = sm->next; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +/** + * \test Checks if a fast_pattern is registered in a Signature for uricontent. + */ +int DetectFastPatternTest55(void) +{ + SigMatch *sm = NULL; + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:\"/one/\"; fast_pattern:3,4; " + "msg:\"Testing fast_pattern\"; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + result = 0; + sm = de_ctx->sig_list->umatch; + while (sm != NULL) { + if (sm->type == DETECT_URICONTENT) { + if ( ((DetectUricontentData *)sm->ctx)->flags & + DETECT_URICONTENT_FAST_PATTERN) { + result = 1; + break; + } else { + result = 0; + break; + } + } + sm = sm->next; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest56(void) +{ + SigMatch *sm = NULL; + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; fast_pattern:only; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + result = 0; + sm = de_ctx->sig_list->umatch; + DetectUricontentData *ud = sm->ctx; + if (sm != NULL && sm->type == DETECT_URICONTENT) { + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY && + !(ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP) && + ud->fp_chop_offset == 0 && + ud->fp_chop_len == 0) { + result = 1; + } else { + result = 0; + } + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest57(void) +{ + SigMatch *sm = NULL; + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; fast_pattern:3,4; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + result = 0; + sm = de_ctx->sig_list->umatch; + DetectUricontentData *ud = sm->ctx; + if (sm != NULL && sm->type == DETECT_URICONTENT) { + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest58(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; fast_pattern:only; distance:10; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest59(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; distance:10; fast_pattern:only; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest60(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; fast_pattern:only; within:10; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest61(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; within:10; fast_pattern:only; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest62(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; fast_pattern:only; offset:10; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest63(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; offset:10; fast_pattern:only; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest64(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; fast_pattern:only; depth:10; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest65(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; depth:10; fast_pattern:only; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest66(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:!two; fast_pattern:only; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest67(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent: one; uricontent:two; distance:30; uricontent:two; fast_pattern:only; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + DetectUricontentData *ud = de_ctx->sig_list->umatch_tail->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY && + !(ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP) && + ud->fp_chop_offset == 0 && + ud->fp_chop_len == 0) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest68(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; within:30; uricontent:two; fast_pattern:only; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->umatch_tail->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY && + !(ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP) && + ud->fp_chop_offset == 0 && + ud->fp_chop_len == 0) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest69(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; offset:30; uricontent:two; fast_pattern:only; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->umatch_tail->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY && + !(ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP) && + ud->fp_chop_offset == 0 && + ud->fp_chop_len == 0) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest70(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; depth:30; uricontent:two; fast_pattern:only; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->umatch_tail->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY && + !(ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP) && + ud->fp_chop_offset == 0 && + ud->fp_chop_len == 0) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest71(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:!one; fast_pattern; uricontent:two; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->umatch_tail->prev->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + ud->flags & DETECT_URICONTENT_NEGATED && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + !(ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP) && + ud->fp_chop_offset == 0 && + ud->fp_chop_len == 0) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest72(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:two; uricontent:!one; fast_pattern; distance:20; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest73(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:two; uricontent:!one; fast_pattern; within:20; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest74(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:two; uricontent:!one; fast_pattern; offset:20; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest75(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:two; uricontent:!one; fast_pattern; depth:20; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest76(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; fast_pattern:3,4; uricontent:three; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->umatch_tail->prev->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest77(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; fast_pattern:3,4; uricontent:three; distance:30; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->umatch_tail->prev->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest78(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; fast_pattern:3,4; uricontent:three; within:30; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->umatch_tail->prev->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest79(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; fast_pattern:3,4; uricontent:three; offset:30; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->umatch_tail->prev->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest80(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; fast_pattern:3,4; uricontent:three; depth:30; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->umatch_tail->prev->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest81(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; distance:10; uricontent:three; fast_pattern:3,4; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->umatch_tail->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest82(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; within:10; uricontent:three; fast_pattern:3,4; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->umatch_tail->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest83(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; offset:10; uricontent:three; fast_pattern:3,4; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->umatch_tail->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest84(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; depth:10; uricontent:three; fast_pattern:3,4; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->umatch_tail->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest85(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; fast_pattern:65977,4; uricontent:three; distance:10; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest86(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; fast_pattern:3,65977; uricontent:three; distance:10; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest87(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:two; fast_pattern:65534,4; uricontent:three; distance:10; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest88(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:!two; fast_pattern:3,4; uricontent:three; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + DetectUricontentData *ud = de_ctx->sig_list->umatch_tail->prev->ctx; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN && + ud->flags & DETECT_URICONTENT_NEGATED && + !(ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) && + ud->flags & ud->flags & DETECT_URICONTENT_FAST_PATTERN_CHOP && + ud->fp_chop_offset == 3 && + ud->fp_chop_len == 4) { + result = 1; + } else { + result = 0; + } + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest89(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:!two; fast_pattern:3,4; distance:10; uricontent:three; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest90(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:!two; fast_pattern:3,4; within:10; uricontent:three; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest91(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:!two; fast_pattern:3,4; offset:10; uricontent:three; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +int DetectFastPatternTest92(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:one; uricontent:!two; fast_pattern:3,4; depth:10; uricontent:three; sid:1;)"); + if (de_ctx->sig_list != NULL) + goto end; + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + void DetectFastPatternRegisterTests(void) { @@ -2029,6 +3133,47 @@ void DetectFastPatternRegisterTests(void) UtRegisterTest("DetectFastPatternTest51", DetectFastPatternTest51, 1); UtRegisterTest("DetectFastPatternTest52", DetectFastPatternTest52, 1); UtRegisterTest("DetectFastPatternTest53", DetectFastPatternTest53, 1); + /* content fast_pattern tests ^ */ + /* uricontent fast_pattern tests v */ + UtRegisterTest("DetectFastPatternTest54", DetectFastPatternTest54, 1); + UtRegisterTest("DetectFastPatternTest55", DetectFastPatternTest55, 1); + UtRegisterTest("DetectFastPatternTest56", DetectFastPatternTest56, 1); + UtRegisterTest("DetectFastPatternTest57", DetectFastPatternTest57, 1); + UtRegisterTest("DetectFastPatternTest58", DetectFastPatternTest58, 1); + UtRegisterTest("DetectFastPatternTest59", DetectFastPatternTest59, 1); + UtRegisterTest("DetectFastPatternTest60", DetectFastPatternTest60, 1); + UtRegisterTest("DetectFastPatternTest61", DetectFastPatternTest61, 1); + UtRegisterTest("DetectFastPatternTest62", DetectFastPatternTest62, 1); + UtRegisterTest("DetectFastPatternTest63", DetectFastPatternTest63, 1); + UtRegisterTest("DetectFastPatternTest64", DetectFastPatternTest64, 1); + UtRegisterTest("DetectFastPatternTest65", DetectFastPatternTest65, 1); + UtRegisterTest("DetectFastPatternTest66", DetectFastPatternTest66, 1); + UtRegisterTest("DetectFastPatternTest67", DetectFastPatternTest67, 1); + UtRegisterTest("DetectFastPatternTest68", DetectFastPatternTest68, 1); + UtRegisterTest("DetectFastPatternTest69", DetectFastPatternTest69, 1); + UtRegisterTest("DetectFastPatternTest70", DetectFastPatternTest70, 1); + UtRegisterTest("DetectFastPatternTest71", DetectFastPatternTest71, 1); + UtRegisterTest("DetectFastPatternTest72", DetectFastPatternTest72, 1); + UtRegisterTest("DetectFastPatternTest73", DetectFastPatternTest73, 1); + UtRegisterTest("DetectFastPatternTest74", DetectFastPatternTest74, 1); + UtRegisterTest("DetectFastPatternTest75", DetectFastPatternTest75, 1); + UtRegisterTest("DetectFastPatternTest76", DetectFastPatternTest76, 1); + UtRegisterTest("DetectFastPatternTest77", DetectFastPatternTest77, 1); + UtRegisterTest("DetectFastPatternTest78", DetectFastPatternTest78, 1); + UtRegisterTest("DetectFastPatternTest79", DetectFastPatternTest79, 1); + UtRegisterTest("DetectFastPatternTest80", DetectFastPatternTest80, 1); + UtRegisterTest("DetectFastPatternTest81", DetectFastPatternTest81, 1); + UtRegisterTest("DetectFastPatternTest82", DetectFastPatternTest82, 1); + UtRegisterTest("DetectFastPatternTest83", DetectFastPatternTest83, 1); + UtRegisterTest("DetectFastPatternTest84", DetectFastPatternTest84, 1); + UtRegisterTest("DetectFastPatternTest85", DetectFastPatternTest85, 1); + UtRegisterTest("DetectFastPatternTest86", DetectFastPatternTest86, 1); + UtRegisterTest("DetectFastPatternTest87", DetectFastPatternTest87, 1); + UtRegisterTest("DetectFastPatternTest88", DetectFastPatternTest88, 1); + UtRegisterTest("DetectFastPatternTest89", DetectFastPatternTest89, 1); + UtRegisterTest("DetectFastPatternTest90", DetectFastPatternTest90, 1); + UtRegisterTest("DetectFastPatternTest91", DetectFastPatternTest91, 1); + UtRegisterTest("DetectFastPatternTest92", DetectFastPatternTest92, 1); #endif return; diff --git a/src/detect-offset.c b/src/detect-offset.c index f41c33ada0..8cceb47302 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -19,6 +19,7 @@ * \file * * \author Victor Julien + * \author Anoop Saldanha * * Implements the offset keyword */ @@ -100,9 +101,25 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) ud = (DetectUricontentData *)pm->ctx; if (ud == NULL) { SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument"); - if (dubbed) SCFree(str); + if (dubbed) + SCFree(str); return -1; } + + if (ud->flags & DETECT_URICONTENT_NEGATED) { + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " + "negated keyword set along with a fast_pattern"); + goto error; + } + } else { + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " + "keyword set along with a fast_pattern:only;"); + goto error; + } + } + ud->offset = (uint32_t)atoi(str); if (ud->depth != 0) { if (ud->depth < ud->uricontent_len) { @@ -113,13 +130,17 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) /* Updating the depth as is relative to the offset */ ud->depth += ud->offset; } + + ud->flags |= DETECT_URICONTENT_OFFSET; + break; case DETECT_CONTENT: cd = (DetectContentData *)pm->ctx; if (cd == NULL) { SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument"); - if (dubbed) SCFree(str); + if (dubbed) + SCFree(str); return -1; } @@ -155,8 +176,9 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr) default: SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs a preceeding" " content or uricontent option"); - if (dubbed) SCFree(str); - return -1; + if (dubbed) + SCFree(str); + return -1; break; } diff --git a/src/detect-uricontent.h b/src/detect-uricontent.h index a5673f1708..ece0559958 100644 --- a/src/detect-uricontent.h +++ b/src/detect-uricontent.h @@ -25,16 +25,22 @@ #ifndef __DETECT_URICONTENT_H__ #define __DETECT_URICONTENT_H__ -#define DETECT_URICONTENT_NOCASE 0x01 -#define DETECT_URICONTENT_DISTANCE 0x02 -#define DETECT_URICONTENT_WITHIN 0x04 +#define DETECT_URICONTENT_NOCASE 0x0001 +#define DETECT_URICONTENT_DISTANCE 0x0002 +#define DETECT_URICONTENT_WITHIN 0x0004 +#define DETECT_URICONTENT_OFFSET 0x0008 +#define DETECT_URICONTENT_DEPTH 0x0010 -#define DETECT_URICONTENT_DISTANCE_NEXT 0x08 -#define DETECT_URICONTENT_WITHIN_NEXT 0x10 +#define DETECT_URICONTENT_DISTANCE_NEXT 0x0020 +#define DETECT_URICONTENT_WITHIN_NEXT 0x0040 -#define DETECT_URICONTENT_RAWBYTES 0x20 -#define DETECT_URICONTENT_NEGATED 0x40 -#define DETECT_URICONTENT_RELATIVE_NEXT 0x80 +#define DETECT_URICONTENT_RAWBYTES 0x0080 +#define DETECT_URICONTENT_NEGATED 0x0100 +#define DETECT_URICONTENT_RELATIVE_NEXT 0x0200 + +#define DETECT_URICONTENT_FAST_PATTERN 0x0400 +#define DETECT_URICONTENT_FAST_PATTERN_ONLY 0x0800 +#define DETECT_URICONTENT_FAST_PATTERN_CHOP 0x1000 #define DETECT_URICONTENT_IS_SINGLE(c) (!((c)->flags & DETECT_URICONTENT_DISTANCE || \ (c)->flags & DETECT_URICONTENT_WITHIN || \ @@ -48,14 +54,20 @@ typedef struct DetectUricontentData_ { uint8_t *uricontent; uint8_t uricontent_len; - uint8_t flags; PatIntId id; + uint32_t flags; uint16_t depth; uint16_t offset; int32_t distance; int32_t within; BmCtx *bm_ctx; /**< Boyer Moore context (for spm search) */ - + /* if someone wants to add an extra var to this structutre of size 1 byte + * you can reduce the below var to uint8_t. No problemo */ + uint16_t avoid_double_check; + /* for chopped fast pattern, the offset */ + uint16_t fp_chop_offset; + /* for chopped fast pattern, the length */ + uint16_t fp_chop_len; } DetectUricontentData; /* prototypes */ diff --git a/src/detect-within.c b/src/detect-within.c index 81ea4b7e71..2eeda6a4ca 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -19,6 +19,7 @@ * \file * * \author Victor Julien + * \author Anoop Saldanha * * Implements the within keyword */ @@ -186,6 +187,20 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi goto error; } + if (ud->flags & DETECT_URICONTENT_NEGATED) { + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " + "negated keyword set along with a fast_pattern"); + goto error; + } + } else { + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "You can't have a relative " + "keyword set along with a fast_pattern:only;"); + goto error; + } + } + ud->within = strtol(str, NULL, 10); if (ud->within < (int32_t)ud->uricontent_len) { SCLogError(SC_ERR_WITHIN_INVALID, "within argument \"%"PRIi32"\" is " @@ -224,6 +239,14 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi } ud->flags |= DETECT_URICONTENT_RELATIVE_NEXT; + if (ud->flags & DETECT_URICONTENT_FAST_PATTERN_ONLY) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "Previous keyword " + "has a fast_pattern:only; set. You can't " + "have relative keywords around a fast_pattern " + "only content"); + goto error; + } + break; case DETECT_PCRE: