|
|
|
|
@ -1453,34 +1453,26 @@ end:
|
|
|
|
|
*/
|
|
|
|
|
static int DetectContentParseTest18(void)
|
|
|
|
|
{
|
|
|
|
|
Signature *s = SigAlloc();
|
|
|
|
|
int result = 1;
|
|
|
|
|
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
result &= (DetectContentSetup(de_ctx, s, "one") == 0);
|
|
|
|
|
result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
|
|
|
|
|
FAIL_IF_NULL(de_ctx);
|
|
|
|
|
|
|
|
|
|
Signature *s = SigAlloc();
|
|
|
|
|
FAIL_IF_NULL(s);
|
|
|
|
|
FAIL_IF(DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0);
|
|
|
|
|
FAIL_IF_NOT(DetectContentSetup(de_ctx, s, "one") == 0);
|
|
|
|
|
FAIL_IF(DetectBufferIsPresent(s, g_dce_stub_data_buffer_id));
|
|
|
|
|
FAIL_IF_NOT(s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL);
|
|
|
|
|
SigFree(de_ctx, s);
|
|
|
|
|
|
|
|
|
|
s = SigAlloc();
|
|
|
|
|
if (s == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
result &= (DetectContentSetup(de_ctx, s, "one") == 0);
|
|
|
|
|
result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
FAIL_IF_NULL(s);
|
|
|
|
|
FAIL_IF_NOT(DetectContentSetup(de_ctx, s, "one") == 0);
|
|
|
|
|
FAIL_IF(DetectBufferIsPresent(s, g_dce_stub_data_buffer_id));
|
|
|
|
|
FAIL_IF_NOT(s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL);
|
|
|
|
|
SigFree(de_ctx, s);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
PASS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
@ -1489,124 +1481,75 @@ static int DetectContentParseTest18(void)
|
|
|
|
|
|
|
|
|
|
static int DetectContentParseTest19(void)
|
|
|
|
|
{
|
|
|
|
|
DetectEngineCtx *de_ctx = NULL;
|
|
|
|
|
int result = 1;
|
|
|
|
|
Signature *s = NULL;
|
|
|
|
|
DetectContentData *data = NULL;
|
|
|
|
|
|
|
|
|
|
de_ctx = DetectEngineCtxInit();
|
|
|
|
|
if (de_ctx == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
|
|
|
|
|
FAIL_IF_NULL(de_ctx);
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
|
|
|
|
|
Signature *s =
|
|
|
|
|
DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing dce iface, stub_data with content\"; "
|
|
|
|
|
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
|
|
|
|
|
"dce_stub_data; "
|
|
|
|
|
"content:\"one\"; distance:0; sid:1;)");
|
|
|
|
|
if (de_ctx->sig_list == NULL) {
|
|
|
|
|
printf ("failed dce iface, stub_data with content ");
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
s = de_ctx->sig_list;
|
|
|
|
|
if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
|
|
|
|
|
result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
|
|
|
|
|
data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
|
|
|
|
|
if (data->flags & DETECT_CONTENT_RAWBYTES ||
|
|
|
|
|
data->flags & DETECT_CONTENT_NOCASE ||
|
|
|
|
|
data->flags & DETECT_CONTENT_WITHIN ||
|
|
|
|
|
!(data->flags & DETECT_CONTENT_DISTANCE) ||
|
|
|
|
|
data->flags & DETECT_CONTENT_FAST_PATTERN ||
|
|
|
|
|
data->flags & DETECT_CONTENT_NEGATED ||
|
|
|
|
|
result == 0) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
FAIL_IF_NULL(s);
|
|
|
|
|
|
|
|
|
|
SigMatch *sm = DetectBufferGetFirstSigMatch(s, g_dce_stub_data_buffer_id);
|
|
|
|
|
FAIL_IF_NULL(sm);
|
|
|
|
|
FAIL_IF_NOT(sm->type == DETECT_CONTENT);
|
|
|
|
|
FAIL_IF_NOT(s->init_data->smlists[DETECT_SM_LIST_PMATCH] == NULL);
|
|
|
|
|
|
|
|
|
|
s->next = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
DetectContentData *data = (DetectContentData *)sm->ctx;
|
|
|
|
|
FAIL_IF_NOT(data->flags == DETECT_CONTENT_DISTANCE);
|
|
|
|
|
|
|
|
|
|
s = DetectEngineAppendSig(de_ctx,
|
|
|
|
|
"alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing dce iface, stub_data with contents & distance, within\"; "
|
|
|
|
|
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
|
|
|
|
|
"dce_stub_data; "
|
|
|
|
|
"content:\"one\"; distance:0; content:\"two\"; within:10; sid:1;)");
|
|
|
|
|
if (s->next == NULL) {
|
|
|
|
|
printf("failed dce iface, stub_data with content & distance, within");
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
s = s->next;
|
|
|
|
|
if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
|
|
|
|
|
result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
|
|
|
|
|
data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
|
|
|
|
|
if (data->flags & DETECT_CONTENT_RAWBYTES ||
|
|
|
|
|
data->flags & DETECT_CONTENT_NOCASE ||
|
|
|
|
|
!(data->flags & DETECT_CONTENT_WITHIN) ||
|
|
|
|
|
data->flags & DETECT_CONTENT_DISTANCE ||
|
|
|
|
|
data->flags & DETECT_CONTENT_FAST_PATTERN ||
|
|
|
|
|
data->flags & DETECT_CONTENT_NEGATED ||
|
|
|
|
|
result == 0) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
result &= (data->within == 10);
|
|
|
|
|
s->next = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"content:\"one\"; distance:0; content:\"two\"; within:10; sid:2;)");
|
|
|
|
|
FAIL_IF_NULL(s);
|
|
|
|
|
sm = DetectBufferGetFirstSigMatch(s, g_dce_stub_data_buffer_id);
|
|
|
|
|
FAIL_IF_NULL(sm);
|
|
|
|
|
FAIL_IF_NOT(sm->type == DETECT_CONTENT);
|
|
|
|
|
FAIL_IF_NULL(sm->next);
|
|
|
|
|
sm = sm->next;
|
|
|
|
|
FAIL_IF_NOT(sm->type == DETECT_CONTENT);
|
|
|
|
|
FAIL_IF_NOT(s->init_data->smlists[DETECT_SM_LIST_PMATCH] == NULL);
|
|
|
|
|
|
|
|
|
|
data = (DetectContentData *)sm->ctx;
|
|
|
|
|
FAIL_IF_NOT(data->flags == DETECT_CONTENT_WITHIN);
|
|
|
|
|
FAIL_IF_NOT(data->within == 10);
|
|
|
|
|
|
|
|
|
|
s = DetectEngineAppendSig(de_ctx,
|
|
|
|
|
"alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing dce iface, stub with contents, distance, within\"; "
|
|
|
|
|
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
|
|
|
|
|
"dce_stub_data; "
|
|
|
|
|
"content:\"one\"; distance:0; "
|
|
|
|
|
"content:\"two\"; within:10; distance:2; sid:1;)");
|
|
|
|
|
if (s->next == NULL) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
s = s->next;
|
|
|
|
|
if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_CONTENT);
|
|
|
|
|
result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
|
|
|
|
|
data = (DetectContentData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
|
|
|
|
|
if (data->flags & DETECT_CONTENT_RAWBYTES ||
|
|
|
|
|
data->flags & DETECT_CONTENT_NOCASE ||
|
|
|
|
|
!(data->flags & DETECT_CONTENT_WITHIN) ||
|
|
|
|
|
!(data->flags & DETECT_CONTENT_DISTANCE) ||
|
|
|
|
|
data->flags & DETECT_CONTENT_FAST_PATTERN ||
|
|
|
|
|
data->flags & DETECT_CONTENT_NEGATED ||
|
|
|
|
|
result == 0) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
result &= (data->within == 10 && data->distance == 2);
|
|
|
|
|
s->next = SigInit(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"content:\"two\"; within:10; distance:2; sid:3;)");
|
|
|
|
|
FAIL_IF_NULL(s);
|
|
|
|
|
sm = DetectBufferGetFirstSigMatch(s, g_dce_stub_data_buffer_id);
|
|
|
|
|
FAIL_IF_NULL(sm);
|
|
|
|
|
FAIL_IF_NOT(sm->type == DETECT_CONTENT);
|
|
|
|
|
FAIL_IF_NULL(sm->next);
|
|
|
|
|
sm = sm->next;
|
|
|
|
|
FAIL_IF_NOT(sm->type == DETECT_CONTENT);
|
|
|
|
|
data = (DetectContentData *)sm->ctx;
|
|
|
|
|
FAIL_IF_NOT(data->flags == (DETECT_CONTENT_WITHIN | DETECT_CONTENT_DISTANCE));
|
|
|
|
|
FAIL_IF_NOT(data->within == 10);
|
|
|
|
|
FAIL_IF_NOT(data->distance == 2);
|
|
|
|
|
FAIL_IF_NOT(s->init_data->smlists[DETECT_SM_LIST_PMATCH] == NULL);
|
|
|
|
|
|
|
|
|
|
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
|
|
|
|
|
"(msg:\"Testing content\"; "
|
|
|
|
|
"content:\"one\"; sid:1;)");
|
|
|
|
|
if (s->next == NULL) {
|
|
|
|
|
printf ("failed testing content");
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
s = s->next;
|
|
|
|
|
if (s->sm_lists_tail[g_dce_stub_data_buffer_id] != NULL) {
|
|
|
|
|
result = 0;
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
|
|
|
|
|
"content:\"one\"; sid:4;)");
|
|
|
|
|
FAIL_IF_NULL(s);
|
|
|
|
|
FAIL_IF(DetectBufferIsPresent(s, g_dce_stub_data_buffer_id));
|
|
|
|
|
FAIL_IF(s->init_data->smlists[DETECT_SM_LIST_PMATCH] == NULL);
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SigGroupCleanup(de_ctx);
|
|
|
|
|
SigCleanSignatures(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
PASS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
Victor Julien
2 years ago