diff --git a/src/detect-flowint.c b/src/detect-flowint.c index be1566e9ad..98db87f6cd 100644 --- a/src/detect-flowint.c +++ b/src/detect-flowint.c @@ -1,8 +1,9 @@ -/** Copyright (c) 2009 Open Information Security Foundation. - ** \author Pablo Rincon - ** Flowvar management for integer types, part of the detection engine - ** Keyword: flowint - **/ +/** Copyright(c) 2009 Open Information Security Foundation. + * + * \author Pablo Rincon + * Flowvar management for integer types, part of the detection engine + * Keyword: flowint + */ #include "eidps-common.h" #include "decode.h" @@ -20,23 +21,20 @@ #include "detect-engine.h" #include "detect-engine-mpm.h" - -#include /* for UINT32_MAX */ - /* name modifiers value */ -#define PARSE_REGEX "^\\s*([a-zA-Z][\\w\\d_]+),\\s*([+=-]{1}|==|!=|<|<=|>|>=|isset)\\s*,?\\s*([a-zA-Z][\\w\\d]+|[\\d]{1,10})?\\s*$" +#define PARSE_REGEX "^\\s*([a-zA-Z][\\w\\d_]+)\\s*,\\s*([+=-]{1}|==|!=|<|<=|>|>=|isset|notset)\\s*,?\\s*([a-zA-Z][\\w\\d]+|[\\d]{1,10})?\\s*$" /* Varnames must begin with a letter */ static pcre *parse_regex; static pcre_extra *parse_regex_study; -int DetectFlowintMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, +int DetectFlowintMatch(ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *); -int DetectFlowintSetup (DetectEngineCtx *, Signature *, SigMatch *, char *); -void DetectFlowintFree (void *); -void DetectFlowintRegisterTests (void); +int DetectFlowintSetup(DetectEngineCtx *, Signature *, SigMatch *, char *); +void DetectFlowintFree(void *); +void DetectFlowintRegisterTests(void); -void DetectFlowintRegister (void) +void DetectFlowintRegister(void) { sigmatch_table[DETECT_FLOWINT].name = "flowint"; sigmatch_table[DETECT_FLOWINT].Match = DetectFlowintMatch; @@ -48,22 +46,22 @@ void DetectFlowintRegister (void) int eo; int opts = 0; - parse_regex = pcre_compile (PARSE_REGEX, opts, &eb, &eo, NULL); + parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL); if (parse_regex == NULL) { - SCLogDebug ("pcre compile of \"%s\" failed at offset %" PRId32 ": %s", + SCLogDebug("pcre compile of \"%s\" failed at offset %" PRId32 ": %s", PARSE_REGEX, eo, eb); goto error; } - parse_regex_study = pcre_study (parse_regex, 0, &eb); + parse_regex_study = pcre_study(parse_regex, 0, &eb); if (eb != NULL) { - SCLogDebug ("pcre study failed: %s", eb); + SCLogDebug("pcre study failed: %s", eb); goto error; } return; - error: + SCLogInfo("Error registering flowint detection plugin"); return; } @@ -81,92 +79,113 @@ error: * \retval 1 match, when a var is initialized well, add/substracted, or a true * condition */ -int DetectFlowintMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, +int DetectFlowintMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *m) { - DetectFlowintData *sfd = (DetectFlowintData *) m->ctx; + DetectFlowintData *sfd =(DetectFlowintData *) m->ctx; FlowVar *fv; FlowVar *fvt; uint32_t targetval; + /** ATM If we are going to compare the current var with another + * that doesn't exist, the default value will be zero; + * if you don't want this behaviour, you can use the keyword + * "isset" to make it match or not before using the default + * value of zero; + * But it is mandatory that the current var exist, otherwise, it will + * return zero(not match). + */ if (sfd->targettype == FLOWINT_TARGET_VAR) { - sfd->target.tvar.idx = VariableNameGetIdx (det_ctx->de_ctx, + sfd->target.tvar.idx = VariableNameGetIdx(det_ctx->de_ctx, sfd->target.tvar.name, DETECT_FLOWINT); - fvt = FlowVarGet (p->flow, sfd->target.tvar.idx); - if (fvt == NULL) + fvt = FlowVarGet(p->flow, sfd->target.tvar.idx); /* We don't have that variable initialized yet */ - /* so now we need to determine what to do... */ - return 0; - //targetval = 0; + if (fvt == NULL) + targetval = 0; else targetval = fvt->data.fv_int.value; - } else + } else { targetval = sfd->target.value; + } - SCLogDebug ("Our var %s is at idx: %"PRIu16"", sfd->name, sfd->idx); + SCLogDebug("Our var %s is at idx: %"PRIu16"", sfd->name, sfd->idx); if (sfd->modifier == FLOWINT_MODIFIER_SET) { - FlowVarAddInt (p->flow, sfd->idx, targetval); - SCLogDebug ("Setting %s = %u", sfd->name, targetval); + FlowVarAddInt(p->flow, sfd->idx, targetval); + SCLogDebug("Setting %s = %u", sfd->name, targetval); return 1; } - fv = FlowVarGet (p->flow, sfd->idx); + fv = FlowVarGet(p->flow, sfd->idx); + + if (sfd->modifier == FLOWINT_MODIFIER_ISSET) { + SCLogDebug(" Isset %s? = %u", sfd->name,(fv) ? 1 : 0); + if (fv != NULL) + return 1; + else + return 0; + } + + if (sfd->modifier == FLOWINT_MODIFIER_NOTSET) { + SCLogDebug(" Not set %s? = %u", sfd->name,(fv) ? 0 : 1); + if (fv != NULL) + return 0; + else + return 1; + } + if (fv != NULL && fv->datatype == FLOWVAR_TYPE_INT) { if (sfd->modifier == FLOWINT_MODIFIER_ADD) { - SCLogDebug ("Adding %u to %s", targetval, sfd->name); - FlowVarAddInt (p->flow, sfd->idx, fv->data.fv_int.value + + SCLogDebug("Adding %u to %s", targetval, sfd->name); + FlowVarAddInt(p->flow, sfd->idx, fv->data.fv_int.value + targetval); return 1; } if (sfd->modifier == FLOWINT_MODIFIER_SUB) { - SCLogDebug ("Substracting %u to %s", targetval, sfd->name); - FlowVarAddInt (p->flow, sfd->idx, fv->data.fv_int.value - + SCLogDebug("Substracting %u to %s", targetval, sfd->name); + FlowVarAddInt(p->flow, sfd->idx, fv->data.fv_int.value - targetval); return 1; } - switch (sfd->modifier) { + switch(sfd->modifier) { case FLOWINT_MODIFIER_EQ: - SCLogDebug ("( %u EQ %u )", fv->data.fv_int.value, targetval); + SCLogDebug("( %u EQ %u )", fv->data.fv_int.value, targetval); return fv->data.fv_int.value == targetval; break; case FLOWINT_MODIFIER_NE: - SCLogDebug ("( %u NE %u )", fv->data.fv_int.value, targetval); + SCLogDebug("( %u NE %u )", fv->data.fv_int.value, targetval); return fv->data.fv_int.value != targetval; break; case FLOWINT_MODIFIER_LT: - SCLogDebug ("( %u LT %u )", fv->data.fv_int.value, targetval); + SCLogDebug("( %u LT %u )", fv->data.fv_int.value, targetval); return fv->data.fv_int.value < targetval; break; case FLOWINT_MODIFIER_LE: - SCLogDebug ("( %u LE %u )", fv->data.fv_int.value, targetval); + SCLogDebug("( %u LE %u )", fv->data.fv_int.value, targetval); return fv->data.fv_int.value <= targetval; break; case FLOWINT_MODIFIER_GT: - SCLogDebug ("( %u GT %u )", fv->data.fv_int.value, targetval); + SCLogDebug("( %u GT %u )", fv->data.fv_int.value, targetval); return fv->data.fv_int.value > targetval; break; case FLOWINT_MODIFIER_GE: - SCLogDebug ("( %u GE %u )", fv->data.fv_int.value, targetval); + SCLogDebug("( %u GE %u )", fv->data.fv_int.value, targetval); return fv->data.fv_int.value >= targetval; break; default: - SCLogDebug ("Unknown Modifier!"); - exit (EXIT_FAILURE); + SCLogDebug("Unknown Modifier!"); + exit(EXIT_FAILURE); } } else { - SCLogDebug ("Var not found!"); + SCLogDebug("Var not found!"); /* It doesn't exist because it wasn't set - * or it is a string var, we can't compare */ + * or it is a string var, that we don't compare here + */ return 0; - /* TODO: Add a keyword "isset" */ } - - /* It shouldn't reach this */ - return 0; } /** @@ -178,7 +197,7 @@ int DetectFlowintMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, * \retval NULL if invalid option * \retval DetectFlowintData pointer with the flowint parsed */ -DetectFlowintData *DetectFlowintParse (DetectEngineCtx *de_ctx, +DetectFlowintData *DetectFlowintParse(DetectEngineCtx *de_ctx, char *rawstr) { DetectFlowintData *sfd = NULL; @@ -190,123 +209,109 @@ DetectFlowintData *DetectFlowintParse (DetectEngineCtx *de_ctx, int ov[MAX_SUBSTRINGS]; uint8_t modifier = FLOWINT_MODIFIER_UNKNOWN; unsigned long long value_long = 0; - uint8_t dubbed = 0; const char *str_ptr; - ret = pcre_exec (parse_regex, parse_regex_study, rawstr, strlen (rawstr), + ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS); if (ret < 3 || ret > 4) { - SCLogDebug ("ERROR: \"%s\" is not a valid setting for flowint (ret = %d).", rawstr, ret); + SCLogDebug("ERROR: \"%s\" is not a valid setting for flowint(ret = %d).", rawstr, ret); return NULL; } /* Get our flowint varname */ - res = pcre_get_substring ( (char *) rawstr, ov, MAX_SUBSTRINGS, 1, &str_ptr); + res = pcre_get_substring((char *) rawstr, ov, MAX_SUBSTRINGS, 1, &str_ptr); if (res < 0) { - SCLogDebug ("DetectFlowintParse: pcre_get_substring failed"); + SCLogDebug("DetectFlowintParse: pcre_get_substring failed"); return NULL; } - varname = (char *) str_ptr; + varname =(char *) str_ptr; - res = pcre_get_substring ( (char *) rawstr, ov, MAX_SUBSTRINGS, 2, + res = pcre_get_substring((char *) rawstr, ov, MAX_SUBSTRINGS, 2, &str_ptr); if (res < 0) { - SCLogDebug ("DetectFlowintParse: pcre_get_substring failed"); + SCLogDebug("DetectFlowintParse: pcre_get_substring failed"); return NULL; } /* Get the modifier */ - if (strcmp ("=", str_ptr) == 0) + if (strcmp("=", str_ptr) == 0) modifier = FLOWINT_MODIFIER_SET; - if (strcmp ("+", str_ptr) == 0) + if (strcmp("+", str_ptr) == 0) modifier = FLOWINT_MODIFIER_ADD; - if (strcmp ("-", str_ptr) == 0) + if (strcmp("-", str_ptr) == 0) modifier = FLOWINT_MODIFIER_SUB; - if (strcmp ("<", str_ptr) == 0) + if (strcmp("<", str_ptr) == 0) modifier = FLOWINT_MODIFIER_LT; - if (strcmp ("<=", str_ptr) == 0) + if (strcmp("<=", str_ptr) == 0) modifier = FLOWINT_MODIFIER_LE; - if (strcmp ("!=", str_ptr) == 0) + if (strcmp("!=", str_ptr) == 0) modifier = FLOWINT_MODIFIER_NE; - if (strcmp ("==", str_ptr) == 0) + if (strcmp("==", str_ptr) == 0) modifier = FLOWINT_MODIFIER_EQ; - if (strcmp (">=", str_ptr) == 0) + if (strcmp(">=", str_ptr) == 0) modifier = FLOWINT_MODIFIER_GE; - if (strcmp (">", str_ptr) == 0) + if (strcmp(">", str_ptr) == 0) modifier = FLOWINT_MODIFIER_GT; - if (strcmp ("isset", str_ptr) == 0) - modifier = FLOWINT_MODIFIER_IS; + if (strcmp("isset", str_ptr) == 0) + modifier = FLOWINT_MODIFIER_ISSET; + if (strcmp("notset", str_ptr) == 0) + modifier = FLOWINT_MODIFIER_NOTSET; if (modifier == FLOWINT_MODIFIER_UNKNOWN) goto error; - sfd = malloc (sizeof (DetectFlowintData)); + sfd = malloc(sizeof(DetectFlowintData)); if (sfd == NULL) { - SCLogDebug ("DetectFlowintSetup malloc failed"); + SCLogError(SC_ERR_MEM_ALLOC, "DetectFlowintSetup malloc failed"); goto error; } - /* If we need another arg, check it out (isset doesn't need another arg) */ - if (modifier != FLOWINT_MODIFIER_IS) { - res = pcre_get_substring ( (char *) rawstr, ov, MAX_SUBSTRINGS, 3, + /* If we need another arg, check it out(isset doesn't need another arg) */ + if (modifier != FLOWINT_MODIFIER_ISSET && modifier != FLOWINT_MODIFIER_NOTSET) { + res = pcre_get_substring((char *) rawstr, ov, MAX_SUBSTRINGS, 3, &str_ptr); - varval = (char *) str_ptr; + varval =(char *) str_ptr; if (res < 0 || strcmp(varval,"") == 0) { - SCLogDebug ("DetectFlowintParse: pcre_get_substring failed"); + SCLogDebug("DetectFlowintParse: pcre_get_substring failed"); return NULL; } - printf("varval = %s!!!\n", varval); + /* get the target value to operate with - * (it should be a value or another var) */ - if (varval[0] == '\"' && varval[strlen (varval)-1] == '\"') { - str = strdup (varval + 1); - str[strlen (varval)-2] = '\0'; - dubbed = 1; - if (str[0] >= '0' && str[0] <= '9') { /* is digit, look at the regexp */ - sfd->targettype = FLOWINT_TARGET_VAL; - value_long = atoll (str); - if (value_long > UINT32_MAX) { - SCLogDebug ("DetectFlowintParse: Cannot load this value." - " Values should be between 0 and %"PRIu32, UINT32_MAX); - goto error; - } - } else { - sfd->targettype = FLOWINT_TARGET_VAR; - sfd->target.tvar.name = strdup (varval); + *(it should be a value or another var) */ + str = strdup(varval); + if (str == NULL) { + SCLogError(SC_ERR_MEM_ALLOC, "DetectFlowintSetup malloc from strdup failed"); + goto error; + } + + if (str[0] >= '0' && str[0] <= '9') { /* is digit, look at the regexp */ + sfd->targettype = FLOWINT_TARGET_VAL; + value_long = atoll(str); + if (value_long > UINT32_MAX) { + SCLogDebug("DetectFlowintParse: Cannot load this value." + " Values should be between 0 and %"PRIu32, UINT32_MAX); + goto error; } } else { - if (varval[0] >= '0' && varval[0] <= '9') { - sfd->targettype = FLOWINT_TARGET_VAL; - value_long = atoll (varval); - if (value_long > UINT32_MAX) { - SCLogDebug ("DetectFlowintParse: Cannot load this value." - " Values should be between 0 and %"PRIu32, UINT32_MAX); - goto error; - } - } else { - sfd->targettype = FLOWINT_TARGET_VAR; - sfd->target.tvar.name = strdup (varval); - } + sfd->targettype = FLOWINT_TARGET_VAR; + sfd->target.tvar.name = str; } } else { sfd->targettype = FLOWINT_TARGET_SELF; } /* Set the name of the origin var to modify/compared with the target */ - sfd->name = strdup (varname); + sfd->name = strdup(varname); if (de_ctx != NULL) - sfd->idx = VariableNameGetIdx (de_ctx, varname, DETECT_FLOWINT); - sfd->target.value = (uint32_t) value_long; + sfd->idx = VariableNameGetIdx(de_ctx, varname, DETECT_FLOWINT); + sfd->target.value =(uint32_t) value_long; sfd->modifier = modifier; - if (dubbed == 1) free (str); - return sfd; error: - if (dubbed == 1) free (str); - if (sfd != NULL) free (sfd); + if (sfd != NULL) free(sfd); return NULL; } @@ -321,18 +326,16 @@ error: * \retval 0 if all is ok * \retval -1 if we find any problem */ -int DetectFlowintSetup (DetectEngineCtx *de_ctx, +int DetectFlowintSetup(DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *rawstr) { DetectFlowintData *sfd = NULL; SigMatch *sm = NULL; - sfd = DetectFlowintParse (de_ctx, rawstr); + sfd = DetectFlowintParse(de_ctx, rawstr); if (sfd == NULL) goto error; - sfd->idx = VariableNameGetIdx (de_ctx, sfd->name, DETECT_FLOWINT); - /* Okay so far so good, lets get this into a SigMatch * and put it in the Signature. */ sm = SigMatchAlloc(); @@ -340,56 +343,56 @@ int DetectFlowintSetup (DetectEngineCtx *de_ctx, goto error; sm->type = DETECT_FLOWINT; - sm->ctx = (void *) sfd; + sm->ctx =(void *) sfd; - SigMatchAppend (s, m, sm); + SigMatchAppend(s, m, sm); return 0; error: - if (sfd) DetectFlowintFree (sfd); - if (sm) free (sm); + if (sfd) DetectFlowintFree(sfd); + if (sm) free(sm); return -1; } /** * \brief This function is used to free the data of DetectFlowintData */ -void DetectFlowintFree (void *tmp) +void DetectFlowintFree(void *tmp) { - DetectFlowintData *sfd = (DetectFlowintData*) tmp; + DetectFlowintData *sfd =(DetectFlowintData*) tmp; if (sfd != NULL) { if (sfd->name != NULL) - free (sfd->name); + free(sfd->name); if (sfd->targettype == FLOWINT_TARGET_VAR) if (sfd->target.tvar.name != NULL) - free (sfd->target.tvar.name); - free (sfd); + free(sfd->target.tvar.name); + free(sfd); } } /** * \brief This is a helper funtion used for debugging purposes */ -void DetectFlowintPrintData (DetectFlowintData *sfd) +void DetectFlowintPrintData(DetectFlowintData *sfd) { if (sfd == NULL) { - SCLogDebug ("DetectFlowintPrintData: Error, DetectFlowintData == NULL!"); + SCLogDebug("DetectFlowintPrintData: Error, DetectFlowintData == NULL!"); return; } - SCLogDebug ("Varname: %s, modifier: %"PRIu8", idx: %"PRIu16" Target: ", + SCLogDebug("Varname: %s, modifier: %"PRIu8", idx: %"PRIu16" Target: ", sfd->name, sfd->modifier, sfd->idx); - switch (sfd->targettype) { + switch(sfd->targettype) { case FLOWINT_TARGET_VAR: - SCLogDebug ("target_var: %s, target_idx: %"PRIu16, + SCLogDebug("target_var: %s, target_idx: %"PRIu16, sfd->target.tvar.name, sfd->target.tvar.idx); break; case FLOWINT_TARGET_VAL: - SCLogDebug ("Value: %"PRIu32"; ", sfd->target.value); + SCLogDebug("Value: %"PRIu32"; ", sfd->target.value); break; default : - SCLogDebug ("DetectFlowintPrintData: Error, Targettype not known!"); + SCLogDebug("DetectFlowintPrintData: Error, Targettype not known!"); } } @@ -398,7 +401,7 @@ void DetectFlowintPrintData (DetectFlowintData *sfd) * \test DetectFlowintTestParseVal01 is a test to make sure that we set the * DetectFlowint correctly for setting a valid target value */ -int DetectFlowintTestParseVal01 (void) +int DetectFlowintTestParseVal01(void) { int result = 0; DetectFlowintData *sfd = NULL; @@ -408,20 +411,20 @@ int DetectFlowintTestParseVal01 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar,=,35"); - DetectFlowintPrintData (sfd); - if (sfd != NULL && sfd->target.value == 35 && !strcmp (sfd->name, "myvar") + sfd = DetectFlowintParse(de_ctx, "myvar,=,35"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && sfd->target.value == 35 && !strcmp(sfd->name, "myvar") && sfd->modifier == FLOWINT_MODIFIER_SET) { result = 1; } - if (sfd) DetectFlowintFree (sfd); + if (sfd) DetectFlowintFree(sfd); - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } @@ -429,7 +432,7 @@ error: * \test DetectFlowintTestParseVar01 is a test to make sure that we set the * DetectFlowint correctly for setting a valid target variable */ -int DetectFlowintTestParseVar01 (void) +int DetectFlowintTestParseVar01(void) { int result = 0; DetectFlowintData *sfd = NULL; @@ -439,23 +442,23 @@ int DetectFlowintTestParseVar01 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar,=,targetvar"); - DetectFlowintPrintData (sfd); - if (sfd != NULL && !strcmp (sfd->name, "myvar") + sfd = DetectFlowintParse(de_ctx, "myvar,=,targetvar"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && !strcmp(sfd->name, "myvar") && sfd->targettype == FLOWINT_TARGET_VAR && sfd->target.tvar.name != NULL - && !strcmp (sfd->target.tvar.name, "targetvar") + && !strcmp(sfd->target.tvar.name, "targetvar") && sfd->modifier == FLOWINT_MODIFIER_SET) { result = 1; } - if (sfd) DetectFlowintFree (sfd); - DetectEngineCtxFree (de_ctx); + if (sfd) DetectFlowintFree(sfd); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } @@ -463,7 +466,7 @@ error: * \test DetectFlowintTestParseVal02 is a test to make sure that we set the * DetectFlowint correctly for adding a valid target value */ -int DetectFlowintTestParseVal02 (void) +int DetectFlowintTestParseVal02(void) { int result = 0; DetectFlowintData *sfd = NULL; @@ -473,20 +476,20 @@ int DetectFlowintTestParseVal02 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar,+,35"); - DetectFlowintPrintData (sfd); - if (sfd != NULL && sfd->target.value == 35 && !strcmp (sfd->name, "myvar") + sfd = DetectFlowintParse(de_ctx, "myvar,+,35"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && sfd->target.value == 35 && !strcmp(sfd->name, "myvar") && sfd->modifier == FLOWINT_MODIFIER_ADD) { result = 1; } - if (sfd) DetectFlowintFree (sfd); + if (sfd) DetectFlowintFree(sfd); - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } @@ -494,7 +497,7 @@ error: * \test DetectFlowintTestParseVar02 is a test to make sure that we set the * DetectFlowint correctly for adding a valid target variable */ -int DetectFlowintTestParseVar02 (void) +int DetectFlowintTestParseVar02(void) { int result = 0; DetectFlowintData *sfd = NULL; @@ -504,23 +507,23 @@ int DetectFlowintTestParseVar02 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar,+,targetvar"); - DetectFlowintPrintData (sfd); - if (sfd != NULL && !strcmp (sfd->name, "myvar") + sfd = DetectFlowintParse(de_ctx, "myvar,+,targetvar"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && !strcmp(sfd->name, "myvar") && sfd->targettype == FLOWINT_TARGET_VAR && sfd->target.tvar.name != NULL - && !strcmp (sfd->target.tvar.name, "targetvar") + && !strcmp(sfd->target.tvar.name, "targetvar") && sfd->modifier == FLOWINT_MODIFIER_ADD) { result = 1; } - if (sfd) DetectFlowintFree (sfd); - DetectEngineCtxFree (de_ctx); + if (sfd) DetectFlowintFree(sfd); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } @@ -528,7 +531,7 @@ error: * \test DetectFlowintTestParseVal03 is a test to make sure that we set the * DetectFlowint correctly for substract a valid target value */ -int DetectFlowintTestParseVal03 (void) +int DetectFlowintTestParseVal03(void) { int result = 0; DetectFlowintData *sfd = NULL; @@ -538,20 +541,20 @@ int DetectFlowintTestParseVal03 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar,-,35"); - DetectFlowintPrintData (sfd); - if (sfd != NULL && sfd->target.value == 35 && !strcmp (sfd->name, "myvar") + sfd = DetectFlowintParse(de_ctx, "myvar,-,35"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && sfd->target.value == 35 && !strcmp(sfd->name, "myvar") && sfd->modifier == FLOWINT_MODIFIER_SUB) { result = 1; } - if (sfd) DetectFlowintFree (sfd); + if (sfd) DetectFlowintFree(sfd); - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } @@ -559,7 +562,7 @@ error: * \test DetectFlowintTestParseVar03 is a test to make sure that we set the * DetectFlowint correctly for substract a valid target variable */ -int DetectFlowintTestParseVar03 (void) +int DetectFlowintTestParseVar03(void) { int result = 0; DetectFlowintData *sfd = NULL; @@ -569,23 +572,23 @@ int DetectFlowintTestParseVar03 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar,-,targetvar"); - DetectFlowintPrintData (sfd); - if (sfd != NULL && !strcmp (sfd->name, "myvar") + sfd = DetectFlowintParse(de_ctx, "myvar,-,targetvar"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && !strcmp(sfd->name, "myvar") && sfd->targettype == FLOWINT_TARGET_VAR && sfd->target.tvar.name != NULL - && !strcmp (sfd->target.tvar.name, "targetvar") + && !strcmp(sfd->target.tvar.name, "targetvar") && sfd->modifier == FLOWINT_MODIFIER_SUB) { result = 1; } - if (sfd) DetectFlowintFree (sfd); - DetectEngineCtxFree (de_ctx); + if (sfd) DetectFlowintFree(sfd); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } @@ -594,7 +597,7 @@ error: * \test DetectFlowintTestParseVal04 is a test to make sure that we set the * DetectFlowint correctly for checking if equal to a valid target value */ -int DetectFlowintTestParseVal04 (void) +int DetectFlowintTestParseVal04(void) { int result = 0; DetectFlowintData *sfd = NULL; @@ -604,20 +607,20 @@ int DetectFlowintTestParseVal04 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar,==,35"); - DetectFlowintPrintData (sfd); - if (sfd != NULL && sfd->target.value == 35 && !strcmp (sfd->name, "myvar") + sfd = DetectFlowintParse(de_ctx, "myvar,==,35"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && sfd->target.value == 35 && !strcmp(sfd->name, "myvar") && sfd->modifier == FLOWINT_MODIFIER_EQ) { result = 1; } - if (sfd) DetectFlowintFree (sfd); + if (sfd) DetectFlowintFree(sfd); - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } @@ -625,7 +628,7 @@ error: * \test DetectFlowintTestParseVar04 is a test to make sure that we set the * DetectFlowint correctly for checking if equal to a valid target variable */ -int DetectFlowintTestParseVar04 (void) +int DetectFlowintTestParseVar04(void) { int result = 0; DetectFlowintData *sfd = NULL; @@ -635,23 +638,23 @@ int DetectFlowintTestParseVar04 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar,==,targetvar"); - DetectFlowintPrintData (sfd); - if (sfd != NULL && !strcmp (sfd->name, "myvar") + sfd = DetectFlowintParse(de_ctx, "myvar,==,targetvar"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && !strcmp(sfd->name, "myvar") && sfd->targettype == FLOWINT_TARGET_VAR && sfd->target.tvar.name != NULL - && !strcmp (sfd->target.tvar.name, "targetvar") + && !strcmp(sfd->target.tvar.name, "targetvar") && sfd->modifier == FLOWINT_MODIFIER_EQ) { result = 1; } - if (sfd) DetectFlowintFree (sfd); - DetectEngineCtxFree (de_ctx); + if (sfd) DetectFlowintFree(sfd); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } @@ -659,7 +662,7 @@ error: * \test DetectFlowintTestParseVal05 is a test to make sure that we set the * DetectFlowint correctly for cheking if not equal to a valid target value */ -int DetectFlowintTestParseVal05 (void) +int DetectFlowintTestParseVal05(void) { int result = 0; DetectFlowintData *sfd = NULL; @@ -669,20 +672,20 @@ int DetectFlowintTestParseVal05 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar,!=,35"); - DetectFlowintPrintData (sfd); - if (sfd != NULL && sfd->target.value == 35 && !strcmp (sfd->name, "myvar") + sfd = DetectFlowintParse(de_ctx, "myvar,!=,35"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && sfd->target.value == 35 && !strcmp(sfd->name, "myvar") && sfd->modifier == FLOWINT_MODIFIER_NE) { result = 1; } - if (sfd) DetectFlowintFree (sfd); + if (sfd) DetectFlowintFree(sfd); - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } @@ -690,7 +693,7 @@ error: * \test DetectFlowintTestParseVar05 is a test to make sure that we set the * DetectFlowint correctly for checking if not equal to a valid target variable */ -int DetectFlowintTestParseVar05 (void) +int DetectFlowintTestParseVar05(void) { int result = 0; DetectFlowintData *sfd = NULL; @@ -700,23 +703,23 @@ int DetectFlowintTestParseVar05 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar,!=,targetvar"); - DetectFlowintPrintData (sfd); - if (sfd != NULL && !strcmp (sfd->name, "myvar") + sfd = DetectFlowintParse(de_ctx, "myvar,!=,targetvar"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && !strcmp(sfd->name, "myvar") && sfd->targettype == FLOWINT_TARGET_VAR && sfd->target.tvar.name != NULL - && !strcmp (sfd->target.tvar.name, "targetvar") + && !strcmp(sfd->target.tvar.name, "targetvar") && sfd->modifier == FLOWINT_MODIFIER_NE) { result = 1; } - if (sfd) DetectFlowintFree (sfd); - DetectEngineCtxFree (de_ctx); + if (sfd) DetectFlowintFree(sfd); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } @@ -724,7 +727,7 @@ error: * \test DetectFlowintTestParseVal06 is a test to make sure that we set the * DetectFlowint correctly for cheking if greater than a valid target value */ -int DetectFlowintTestParseVal06 (void) +int DetectFlowintTestParseVal06(void) { int result = 0; DetectFlowintData *sfd = NULL; @@ -734,20 +737,20 @@ int DetectFlowintTestParseVal06 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar, >,35"); - DetectFlowintPrintData (sfd); - if (sfd != NULL && sfd->target.value == 35 && !strcmp (sfd->name, "myvar") + sfd = DetectFlowintParse(de_ctx, "myvar, >,35"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && sfd->target.value == 35 && !strcmp(sfd->name, "myvar") && sfd->modifier == FLOWINT_MODIFIER_GT) { result = 1; } - if (sfd) DetectFlowintFree (sfd); + if (sfd) DetectFlowintFree(sfd); - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } @@ -755,7 +758,7 @@ error: * \test DetectFlowintTestParseVar06 is a test to make sure that we set the * DetectFlowint correctly for checking if greater than a valid target variable */ -int DetectFlowintTestParseVar06 (void) +int DetectFlowintTestParseVar06(void) { int result = 0; DetectFlowintData *sfd = NULL; @@ -765,23 +768,23 @@ int DetectFlowintTestParseVar06 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar, >,targetvar"); - DetectFlowintPrintData (sfd); - if (sfd != NULL && !strcmp (sfd->name, "myvar") + sfd = DetectFlowintParse(de_ctx, "myvar, >,targetvar"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && !strcmp(sfd->name, "myvar") && sfd->targettype == FLOWINT_TARGET_VAR && sfd->target.tvar.name != NULL - && !strcmp (sfd->target.tvar.name, "targetvar") + && !strcmp(sfd->target.tvar.name, "targetvar") && sfd->modifier == FLOWINT_MODIFIER_GT) { result = 1; } - if (sfd) DetectFlowintFree (sfd); - DetectEngineCtxFree (de_ctx); + if (sfd) DetectFlowintFree(sfd); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } @@ -789,7 +792,7 @@ error: * \test DetectFlowintTestParseVal07 is a test to make sure that we set the * DetectFlowint correctly for cheking if greater or equal than a valid target value */ -int DetectFlowintTestParseVal07 (void) +int DetectFlowintTestParseVal07(void) { int result = 0; DetectFlowintData *sfd = NULL; @@ -799,20 +802,20 @@ int DetectFlowintTestParseVal07 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar, >= ,35"); - DetectFlowintPrintData (sfd); - if (sfd != NULL && sfd->target.value == 35 && !strcmp (sfd->name, "myvar") + sfd = DetectFlowintParse(de_ctx, "myvar, >= ,35"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && sfd->target.value == 35 && !strcmp(sfd->name, "myvar") && sfd->modifier == FLOWINT_MODIFIER_GE) { result = 1; } - if (sfd) DetectFlowintFree (sfd); + if (sfd) DetectFlowintFree(sfd); - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } @@ -820,7 +823,7 @@ error: * \test DetectFlowintTestParseVar07 is a test to make sure that we set the * DetectFlowint correctly for checking if greater or equal than a valid target variable */ -int DetectFlowintTestParseVar07 (void) +int DetectFlowintTestParseVar07(void) { int result = 0; DetectFlowintData *sfd = NULL; @@ -830,23 +833,23 @@ int DetectFlowintTestParseVar07 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar, >= ,targetvar"); - DetectFlowintPrintData (sfd); - if (sfd != NULL && !strcmp (sfd->name, "myvar") + sfd = DetectFlowintParse(de_ctx, "myvar, >= ,targetvar"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && !strcmp(sfd->name, "myvar") && sfd->targettype == FLOWINT_TARGET_VAR && sfd->target.tvar.name != NULL - && !strcmp (sfd->target.tvar.name, "targetvar") + && !strcmp(sfd->target.tvar.name, "targetvar") && sfd->modifier == FLOWINT_MODIFIER_GE) { result = 1; } - if (sfd) DetectFlowintFree (sfd); - DetectEngineCtxFree (de_ctx); + if (sfd) DetectFlowintFree(sfd); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } @@ -854,7 +857,7 @@ error: * \test DetectFlowintTestParseVal08 is a test to make sure that we set the * DetectFlowint correctly for cheking if lower or equal than a valid target value */ -int DetectFlowintTestParseVal08 (void) +int DetectFlowintTestParseVal08(void) { int result = 0; DetectFlowintData *sfd = NULL; @@ -864,20 +867,20 @@ int DetectFlowintTestParseVal08 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar, <= ,35"); - DetectFlowintPrintData (sfd); - if (sfd != NULL && sfd->target.value == 35 && !strcmp (sfd->name, "myvar") + sfd = DetectFlowintParse(de_ctx, "myvar, <= ,35"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && sfd->target.value == 35 && !strcmp(sfd->name, "myvar") && sfd->modifier == FLOWINT_MODIFIER_LE) { result = 1; } - if (sfd) DetectFlowintFree (sfd); + if (sfd) DetectFlowintFree(sfd); - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } @@ -885,7 +888,7 @@ error: * \test DetectFlowintTestParseVar08 is a test to make sure that we set the * DetectFlowint correctly for checking if lower or equal than a valid target variable */ -int DetectFlowintTestParseVar08 (void) +int DetectFlowintTestParseVar08(void) { int result = 0; DetectFlowintData *sfd = NULL; @@ -895,23 +898,23 @@ int DetectFlowintTestParseVar08 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar, <= ,targetvar"); - DetectFlowintPrintData (sfd); - if (sfd != NULL && !strcmp (sfd->name, "myvar") + sfd = DetectFlowintParse(de_ctx, "myvar, <= ,targetvar"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && !strcmp(sfd->name, "myvar") && sfd->targettype == FLOWINT_TARGET_VAR && sfd->target.tvar.name != NULL - && !strcmp (sfd->target.tvar.name, "targetvar") + && !strcmp(sfd->target.tvar.name, "targetvar") && sfd->modifier == FLOWINT_MODIFIER_LE) { result = 1; } - if (sfd) DetectFlowintFree (sfd); - DetectEngineCtxFree (de_ctx); + if (sfd) DetectFlowintFree(sfd); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } @@ -919,7 +922,7 @@ error: * \test DetectFlowintTestParseVal09 is a test to make sure that we set the * DetectFlowint correctly for cheking if lower than a valid target value */ -int DetectFlowintTestParseVal09 (void) +int DetectFlowintTestParseVal09(void) { int result = 0; DetectFlowintData *sfd = NULL; @@ -929,20 +932,20 @@ int DetectFlowintTestParseVal09 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar, < ,35"); - DetectFlowintPrintData (sfd); - if (sfd != NULL && sfd->target.value == 35 && !strcmp (sfd->name, "myvar") + sfd = DetectFlowintParse(de_ctx, "myvar, < ,35"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && sfd->target.value == 35 && !strcmp(sfd->name, "myvar") && sfd->modifier == FLOWINT_MODIFIER_LT) { result = 1; } - if (sfd) DetectFlowintFree (sfd); + if (sfd) DetectFlowintFree(sfd); - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } @@ -950,7 +953,7 @@ error: * \test DetectFlowintTestParseVar09 is a test to make sure that we set the * DetectFlowint correctly for checking if lower than a valid target variable */ -int DetectFlowintTestParseVar09 (void) +int DetectFlowintTestParseVar09(void) { int result = 0; DetectFlowintData *sfd = NULL; @@ -960,23 +963,23 @@ int DetectFlowintTestParseVar09 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar, < ,targetvar"); - DetectFlowintPrintData (sfd); - if (sfd != NULL && !strcmp (sfd->name, "myvar") + sfd = DetectFlowintParse(de_ctx, "myvar, < ,targetvar"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && !strcmp(sfd->name, "myvar") && sfd->targettype == FLOWINT_TARGET_VAR && sfd->target.tvar.name != NULL - && !strcmp (sfd->target.tvar.name, "targetvar") + && !strcmp(sfd->target.tvar.name, "targetvar") && sfd->modifier == FLOWINT_MODIFIER_LT) { result = 1; } - if (sfd) DetectFlowintFree (sfd); - DetectEngineCtxFree (de_ctx); + if (sfd) DetectFlowintFree(sfd); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } @@ -984,9 +987,9 @@ error: * \test DetectFlowintTestParseVar09 is a test to make sure that handle the * isset keyword correctly */ -int DetectFlowintTestParseIsset10 (void) +int DetectFlowintTestParseIsset10(void) { - int result = 0; + int result = 1; DetectFlowintData *sfd = NULL; DetectEngineCtx *de_ctx; de_ctx = DetectEngineCtxInit(); @@ -994,24 +997,36 @@ int DetectFlowintTestParseIsset10 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar, isset"); - DetectFlowintPrintData (sfd); - if (sfd != NULL && !strcmp (sfd->name, "myvar") + sfd = DetectFlowintParse(de_ctx, "myvar, isset"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && !strcmp(sfd->name, "myvar") + && sfd->targettype == FLOWINT_TARGET_SELF + && sfd->modifier == FLOWINT_MODIFIER_ISSET) { + + result &= 1; + } else { + result = 0; + } + + if (sfd) DetectFlowintFree(sfd); + sfd = DetectFlowintParse(de_ctx, "myvar, notset"); + DetectFlowintPrintData(sfd); + if (sfd != NULL && !strcmp(sfd->name, "myvar") && sfd->targettype == FLOWINT_TARGET_SELF - && sfd->modifier == FLOWINT_MODIFIER_IS) { + && sfd->modifier == FLOWINT_MODIFIER_NOTSET) { result &= 1; } else { result = 0; } - if (sfd) DetectFlowintFree (sfd); - DetectEngineCtxFree (de_ctx); + if (sfd) DetectFlowintFree(sfd); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } @@ -1019,7 +1034,7 @@ error: * \test DetectFlowintTestParseInvalidSyntaxis01 is a test to make sure that we dont set the * DetectFlowint for a invalid input option */ -int DetectFlowintTestParseInvalidSyntaxis01 (void) +int DetectFlowintTestParseInvalidSyntaxis01(void) { int result = 1; DetectFlowintData *sfd = NULL; @@ -1029,79 +1044,78 @@ int DetectFlowintTestParseInvalidSyntaxis01 (void) goto error; de_ctx->flags |= DE_QUIET; - sfd = DetectFlowintParse (de_ctx, "myvar,=,9999999999"); + sfd = DetectFlowintParse(de_ctx, "myvar,=,9999999999"); if (sfd != NULL) { - SCLogDebug ("DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,=,9532458716234857"); + SCLogDebug("DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,=,9532458716234857"); result = 0; } - if (sfd) DetectFlowintFree (sfd); + if (sfd) DetectFlowintFree(sfd); - sfd = DetectFlowintParse (de_ctx, "myvar,=,45targetvar"); + sfd = DetectFlowintParse(de_ctx, "myvar,=,45targetvar"); if (sfd != NULL) { - SCLogDebug ("DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,=,45targetvar "); + SCLogDebug("DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,=,45targetvar "); result = 0; } - if (sfd) DetectFlowintFree (sfd); + if (sfd) DetectFlowintFree(sfd); - sfd = DetectFlowintParse (de_ctx, "657myvar,=,targetvar"); + sfd = DetectFlowintParse(de_ctx, "657myvar,=,targetvar"); if (sfd != NULL) { - SCLogDebug ("DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at 657myvar,=,targetvar "); + SCLogDebug("DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at 657myvar,=,targetvar "); result = 0; } - if (sfd) DetectFlowintFree (sfd); + if (sfd) DetectFlowintFree(sfd); - sfd = DetectFlowintParse (de_ctx, "myvar,=<,targetvar"); + sfd = DetectFlowintParse(de_ctx, "myvar,=<,targetvar"); if (sfd != NULL) { - SCLogDebug ("DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,=<,targetvar "); + SCLogDebug("DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,=<,targetvar "); result = 0; } - if (sfd) DetectFlowintFree (sfd); + if (sfd) DetectFlowintFree(sfd); - sfd = DetectFlowintParse (de_ctx, "myvar,===,targetvar"); + sfd = DetectFlowintParse(de_ctx, "myvar,===,targetvar"); if (sfd != NULL) { - SCLogDebug ("DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,===,targetvar "); + SCLogDebug("DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,===,targetvar "); result = 0; } - if (sfd) DetectFlowintFree (sfd); + if (sfd) DetectFlowintFree(sfd); - sfd = DetectFlowintParse (de_ctx, "myvar,=="); + sfd = DetectFlowintParse(de_ctx, "myvar,=="); if (sfd != NULL) { - SCLogDebug ("DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,=="); + SCLogDebug("DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,=="); result = 0; } - if (sfd) DetectFlowintFree (sfd); + if (sfd) DetectFlowintFree(sfd); - sfd = DetectFlowintParse (de_ctx, "myvar,"); + sfd = DetectFlowintParse(de_ctx, "myvar,"); if (sfd != NULL) { - SCLogDebug ("DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,"); + SCLogDebug("DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,"); result = 0; } - if (sfd) DetectFlowintFree (sfd); + if (sfd) DetectFlowintFree(sfd); - sfd = DetectFlowintParse (de_ctx, "myvar"); + sfd = DetectFlowintParse(de_ctx, "myvar"); if (sfd != NULL) { - SCLogDebug ("DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar"); + SCLogDebug("DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar"); result = 0; } - if (sfd) DetectFlowintFree (sfd); + if (sfd) DetectFlowintFree(sfd); - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; error: if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); return result; } - /** \test DetectFlowintTestPacket01Real * \brief Set a counter when we see a content:"GET" * and increment it by 2 if we match a "Unauthorized" - * When it reach 3 (with the last +2), another counter starts + * When it reach 3(with the last +2), another counter starts * and when that counter reach 6 packets. * - * All the Signatures generate an alert (its for testing) + * All the Signatures generate an alert(its for testing) * but the ignature that increment the second counter +1, that has * a "noalert", so we can do all increments * silently until we reach 6 next packets counted @@ -1331,9 +1345,9 @@ int DetectFlowintTestPacket01Real() }; uint16_t pktssizes[] = { - sizeof (pkt1), sizeof (pkt2), sizeof (pkt3), sizeof (pkt4), sizeof (pkt5), - sizeof (pkt6), sizeof (pkt7), sizeof (pkt8), sizeof (pkt9), sizeof (pkt10), - sizeof (pkt11) + sizeof(pkt1), sizeof(pkt2), sizeof(pkt3), sizeof(pkt4), sizeof(pkt5), + sizeof(pkt6), sizeof(pkt7), sizeof(pkt8), sizeof(pkt9), sizeof(pkt10), + sizeof(pkt11) }; Packet p; @@ -1342,10 +1356,10 @@ int DetectFlowintTestPacket01Real() ThreadVars th_v; DetectEngineThreadCtx *det_ctx = NULL; - memset (&dtv, 0, sizeof (DecodeThreadVars)); - memset (&th_v, 0, sizeof (th_v)); + memset(&dtv, 0, sizeof(DecodeThreadVars)); + memset(&th_v, 0, sizeof(th_v)); - FlowInitConfig (FLOW_QUIET); + FlowInitConfig(FLOW_QUIET); DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { @@ -1355,142 +1369,814 @@ int DetectFlowintTestPacket01Real() de_ctx->flags |= DE_QUIET; /* Now that we have the array of packets for the flow, prepare the signatures */ - de_ctx->sig_list = SigInit (de_ctx, "alert tcp any any -> any any (msg:\"Setting a flowint counter\"; content:\"GET\"; flowint: myvar,=,1; flowint: maxvar,=,6;sid:101;)"); + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Setting a flowint counter\"; content:\"GET\"; flowint:myvar,=,1; flowint:maxvar,=,6; sid:101;)"); - de_ctx->sig_list->next = SigInit (de_ctx, "alert tcp any any -> any any (msg:\"Adding to flowint counter\"; content:\"Unauthorized\"; flowint: myvar,+,2; sid:102;)"); + de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Adding to flowint counter\"; content:\"Unauthorized\"; flowint: myvar,+,2; sid:102;)"); - de_ctx->sig_list->next->next = SigInit (de_ctx, "alert tcp any any -> any any (msg:\"if the flowint counter is 3 create a new counter\"; content:\"Unauthorized\"; flowint: myvar,==,3; flowint: cntpackets, =, 0; sid:103;)"); + de_ctx->sig_list->next->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"if the flowint counter is 3 create a new counter\"; content:\"Unauthorized\"; flowint: myvar,==,3; flowint: cntpackets, =, 0; sid:103;)"); - de_ctx->sig_list->next->next->next = SigInit (de_ctx, "alert tcp any any -> any any (msg:\"and count the rest of the packets received without generating alerts!!!\"; flowint: myvar,==,3; flowint: cntpackets, +, 1; noalert;sid:104;)"); + de_ctx->sig_list->next->next->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"and count the rest of the packets received without generating alerts!!!\"; flowint: myvar,==,3; flowint: cntpackets, +, 1; noalert;sid:104;)"); /* comparation of myvar with maxvar */ - de_ctx->sig_list->next->next->next->next = SigInit (de_ctx, "alert tcp any any -> any any (msg:\" and fire this when it reach 6\"; flowint: cntpackets, ==, maxvar; sid:105;)"); + de_ctx->sig_list->next->next->next->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\" and fire this when it reach 6\"; flowint: cntpackets, ==, maxvar; sid:105;)"); /* I know it's a bit ugly, */ de_ctx->sig_list->next->next->next->next->next = NULL; - SigGroupBuild (de_ctx); - //PatternMatchPrepare (mpm_ctx, MPM_B2G); - DetectEngineThreadCtxInit (&th_v, (void *) de_ctx, (void *) &det_ctx); + SigGroupBuild(de_ctx); + //PatternMatchPrepare(mpm_ctx, MPM_B2G); + DetectEngineThreadCtxInit(&th_v,(void *) de_ctx,(void *) &det_ctx); /* Get the idx of the vars we are going to track */ uint16_t idx1, idx2; - idx1 = VariableNameGetIdx (det_ctx->de_ctx, "myvar", DETECT_FLOWINT); - idx2 = VariableNameGetIdx (det_ctx->de_ctx, "cntpackets", DETECT_FLOWINT); + idx1 = VariableNameGetIdx(det_ctx->de_ctx, "myvar", DETECT_FLOWINT); + idx2 = VariableNameGetIdx(det_ctx->de_ctx, "cntpackets", DETECT_FLOWINT); int i; /* Decode the packets, and test the matches*/ for (i = 0;i < 11;i++) { - memset (&p, 0, sizeof (Packet)); - DecodeEthernet (&th_v, &dtv, &p, pkts[i], pktssizes[i], NULL); + memset(&p, 0, sizeof(Packet)); + DecodeEthernet(&th_v, &dtv, &p, pkts[i], pktssizes[i], NULL); - SigMatchSignatures (&th_v, de_ctx, det_ctx, &p); + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); - switch (i) { + switch(i) { case 3: - if (PacketAlertCheck (&p, 101) == 0) { - SCLogDebug ("Not declared/initialized!"); + if (PacketAlertCheck(&p, 101) == 0) { + SCLogDebug("Not declared/initialized!"); result = 0; } break; case 5: - if (PacketAlertCheck (&p, 102) == 0) { - SCLogDebug ("Not incremented!"); + if (PacketAlertCheck(&p, 102) == 0) { + SCLogDebug("Not incremented!"); result = 0; } - if (PacketAlertCheck (&p, 103) == 0) { - SCLogDebug ("myvar is not 3 or bad cmp!!"); + if (PacketAlertCheck(&p, 103) == 0) { + SCLogDebug("myvar is not 3 or bad cmp!!"); result = 0; } break; case 10: - if (PacketAlertCheck (&p, 105) == 0) { - SCLogDebug ("Not declared/initialized/or well incremented the" + if (PacketAlertCheck(&p, 105) == 0) { + SCLogDebug("Not declared/initialized/or well incremented the" " second var!"); result = 0; } break; } - SCLogDebug ("Raw Packet %d has %u alerts ", i, p.alerts.cnt); + SCLogDebug("Raw Packet %d has %u alerts ", i, p.alerts.cnt); } - SigGroupCleanup (de_ctx); - SigCleanSignatures (de_ctx); + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); - DetectEngineThreadCtxDeinit (&th_v, (void *) det_ctx); - //PatternMatchDestroy (mpm_ctx); - DetectEngineCtxFree (de_ctx); + DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx); + //PatternMatchDestroy(mpm_ctx); + DetectEngineCtxFree(de_ctx); FlowShutdown(); return result; end: if (de_ctx) { - SigGroupCleanup (de_ctx); - SigCleanSignatures (de_ctx); + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); } if (det_ctx) - DetectEngineThreadCtxDeinit (&th_v, (void *) det_ctx); - //PatternMatchDestroy (mpm_ctx); + DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx); + //PatternMatchDestroy(mpm_ctx); if (de_ctx) - DetectEngineCtxFree (de_ctx); + DetectEngineCtxFree(de_ctx); FlowShutdown(); return result; } +/** + * \test DetectFlowintTestPacket02Real + * \brief like DetectFlowintTestPacket01Real but using isset/notset keywords + */ +int DetectFlowintTestPacket02Real() +{ + int result = 1; + + uint8_t pkt1[] = { + 0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13, + 0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00, + 0x00, 0x3c, 0xc2, 0x26, 0x40, 0x00, 0x40, 0x06, + 0xf4, 0x67, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8, + 0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51, + 0x82, 0xb5, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, + 0x16, 0xd0, 0xe8, 0xb0, 0x00, 0x00, 0x02, 0x04, + 0x05, 0xb4, 0x04, 0x02, 0x08, 0x0a, 0x01, 0x72, + 0x40, 0x93, 0x00, 0x00, 0x00, 0x00, 0x01, 0x03, + 0x03, 0x07 + }; + + uint8_t pkt2[] = { + 0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a, + 0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00, + 0x00, 0x3c, 0x00, 0x00, 0x40, 0x00, 0x40, 0x06, + 0xb6, 0x8e, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8, + 0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04, + 0x8b, 0xdd, 0x17, 0x51, 0x82, 0xb6, 0xa0, 0x12, + 0x16, 0x80, 0x17, 0x8a, 0x00, 0x00, 0x02, 0x04, + 0x05, 0xac, 0x04, 0x02, 0x08, 0x0a, 0x01, 0x29, + 0x23, 0x63, 0x01, 0x72, 0x40, 0x93, 0x01, 0x03, + 0x03, 0x07 + }; + + uint8_t pkt3[] = { + 0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13, + 0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00, + 0x00, 0x34, 0xc2, 0x27, 0x40, 0x00, 0x40, 0x06, + 0xf4, 0x6e, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8, + 0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51, + 0x82, 0xb6, 0x21, 0x04, 0x8b, 0xde, 0x80, 0x10, + 0x00, 0x2e, 0x5c, 0xa0, 0x00, 0x00, 0x01, 0x01, + 0x08, 0x0a, 0x01, 0x72, 0x40, 0x93, 0x01, 0x29, + 0x23, 0x63 + }; + + uint8_t pkt4[] = { + 0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13, + 0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00, + 0x01, 0x12, 0xc2, 0x28, 0x40, 0x00, 0x40, 0x06, + 0xf3, 0x8f, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8, + 0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51, + 0x82, 0xb6, 0x21, 0x04, 0x8b, 0xde, 0x80, 0x18, + 0x00, 0x2e, 0x24, 0x39, 0x00, 0x00, 0x01, 0x01, + 0x08, 0x0a, 0x01, 0x72, 0x40, 0x93, 0x01, 0x29, + 0x23, 0x63, 0x47, 0x45, 0x54, 0x20, 0x2f, 0x20, + 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, + 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20, + 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, + 0x31, 0x2e, 0x31, 0x0d, 0x0a, 0x41, 0x63, 0x63, + 0x65, 0x70, 0x74, 0x3a, 0x20, 0x74, 0x65, 0x78, + 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x2c, 0x20, + 0x74, 0x65, 0x78, 0x74, 0x2f, 0x70, 0x6c, 0x61, + 0x69, 0x6e, 0x2c, 0x20, 0x74, 0x65, 0x78, 0x74, + 0x2f, 0x63, 0x73, 0x73, 0x2c, 0x20, 0x74, 0x65, + 0x78, 0x74, 0x2f, 0x73, 0x67, 0x6d, 0x6c, 0x2c, + 0x20, 0x2a, 0x2f, 0x2a, 0x3b, 0x71, 0x3d, 0x30, + 0x2e, 0x30, 0x31, 0x0d, 0x0a, 0x41, 0x63, 0x63, + 0x65, 0x70, 0x74, 0x2d, 0x45, 0x6e, 0x63, 0x6f, + 0x64, 0x69, 0x6e, 0x67, 0x3a, 0x20, 0x67, 0x7a, + 0x69, 0x70, 0x2c, 0x20, 0x62, 0x7a, 0x69, 0x70, + 0x32, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, + 0x74, 0x2d, 0x4c, 0x61, 0x6e, 0x67, 0x75, 0x61, + 0x67, 0x65, 0x3a, 0x20, 0x65, 0x6e, 0x0d, 0x0a, + 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, + 0x6e, 0x74, 0x3a, 0x20, 0x4c, 0x79, 0x6e, 0x78, + 0x2f, 0x32, 0x2e, 0x38, 0x2e, 0x36, 0x72, 0x65, + 0x6c, 0x2e, 0x34, 0x20, 0x6c, 0x69, 0x62, 0x77, + 0x77, 0x77, 0x2d, 0x46, 0x4d, 0x2f, 0x32, 0x2e, + 0x31, 0x34, 0x20, 0x53, 0x53, 0x4c, 0x2d, 0x4d, + 0x4d, 0x2f, 0x31, 0x2e, 0x34, 0x2e, 0x31, 0x20, + 0x47, 0x4e, 0x55, 0x54, 0x4c, 0x53, 0x2f, 0x32, + 0x2e, 0x30, 0x2e, 0x34, 0x0d, 0x0a, 0x0d, 0x0a + }; + + uint8_t pkt5[] = { + 0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a, + 0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00, + 0x00, 0x34, 0xa8, 0xbd, 0x40, 0x00, 0x40, 0x06, + 0x0d, 0xd9, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8, + 0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04, + 0x8b, 0xde, 0x17, 0x51, 0x83, 0x94, 0x80, 0x10, + 0x00, 0x2d, 0x5b, 0xc3, 0x00, 0x00, 0x01, 0x01, + 0x08, 0x0a, 0x01, 0x29, 0x23, 0x63, 0x01, 0x72, + 0x40, 0x93 + }; + + uint8_t pkt6[] = { + 0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a, + 0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00, + 0x01, 0xe4, 0xa8, 0xbe, 0x40, 0x00, 0x40, 0x06, + 0x0c, 0x28, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8, + 0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04, + 0x8b, 0xde, 0x17, 0x51, 0x83, 0x94, 0x80, 0x18, + 0x00, 0x2d, 0x1b, 0x84, 0x00, 0x00, 0x01, 0x01, + 0x08, 0x0a, 0x01, 0x29, 0x23, 0x6a, 0x01, 0x72, + 0x40, 0x93, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, + 0x2e, 0x31, 0x20, 0x34, 0x30, 0x31, 0x20, 0x55, + 0x6e, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, + 0x7a, 0x65, 0x64, 0x0d, 0x0a, 0x53, 0x65, 0x72, + 0x76, 0x65, 0x72, 0x3a, 0x20, 0x6d, 0x69, 0x63, + 0x72, 0x6f, 0x5f, 0x68, 0x74, 0x74, 0x70, 0x64, + 0x0d, 0x0a, 0x43, 0x61, 0x63, 0x68, 0x65, 0x2d, + 0x43, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x3a, + 0x20, 0x6e, 0x6f, 0x2d, 0x63, 0x61, 0x63, 0x68, + 0x65, 0x0d, 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, + 0x20, 0x57, 0x65, 0x64, 0x2c, 0x20, 0x31, 0x34, + 0x20, 0x4f, 0x63, 0x74, 0x20, 0x32, 0x30, 0x30, + 0x39, 0x20, 0x31, 0x33, 0x3a, 0x34, 0x39, 0x3a, + 0x35, 0x33, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, + 0x57, 0x57, 0x57, 0x2d, 0x41, 0x75, 0x74, 0x68, + 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, + 0x3a, 0x20, 0x42, 0x61, 0x73, 0x69, 0x63, 0x20, + 0x72, 0x65, 0x61, 0x6c, 0x6d, 0x3d, 0x22, 0x44, + 0x53, 0x4c, 0x20, 0x52, 0x6f, 0x75, 0x74, 0x65, + 0x72, 0x22, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, + 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, + 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, + 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, + 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, + 0x20, 0x63, 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, + 0x0d, 0x0a, 0x3c, 0x48, 0x54, 0x4d, 0x4c, 0x3e, + 0x3c, 0x48, 0x45, 0x41, 0x44, 0x3e, 0x3c, 0x54, + 0x49, 0x54, 0x4c, 0x45, 0x3e, 0x34, 0x30, 0x31, + 0x20, 0x55, 0x6e, 0x61, 0x75, 0x74, 0x68, 0x6f, + 0x72, 0x69, 0x7a, 0x65, 0x64, 0x3c, 0x2f, 0x54, + 0x49, 0x54, 0x4c, 0x45, 0x3e, 0x3c, 0x2f, 0x48, + 0x45, 0x41, 0x44, 0x3e, 0x0a, 0x3c, 0x42, 0x4f, + 0x44, 0x59, 0x20, 0x42, 0x47, 0x43, 0x4f, 0x4c, + 0x4f, 0x52, 0x3d, 0x22, 0x23, 0x63, 0x63, 0x39, + 0x39, 0x39, 0x39, 0x22, 0x3e, 0x3c, 0x48, 0x34, + 0x3e, 0x34, 0x30, 0x31, 0x20, 0x55, 0x6e, 0x61, + 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, + 0x64, 0x3c, 0x2f, 0x48, 0x34, 0x3e, 0x0a, 0x41, + 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x72, 0x65, 0x71, + 0x75, 0x69, 0x72, 0x65, 0x64, 0x2e, 0x0a, 0x3c, + 0x48, 0x52, 0x3e, 0x0a, 0x3c, 0x41, 0x44, 0x44, + 0x52, 0x45, 0x53, 0x53, 0x3e, 0x3c, 0x41, 0x20, + 0x48, 0x52, 0x45, 0x46, 0x3d, 0x22, 0x68, 0x74, + 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, + 0x2e, 0x61, 0x63, 0x6d, 0x65, 0x2e, 0x63, 0x6f, + 0x6d, 0x2f, 0x73, 0x6f, 0x66, 0x74, 0x77, 0x61, + 0x72, 0x65, 0x2f, 0x6d, 0x69, 0x63, 0x72, 0x6f, + 0x5f, 0x68, 0x74, 0x74, 0x70, 0x64, 0x2f, 0x22, + 0x3e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x5f, 0x68, + 0x74, 0x74, 0x70, 0x64, 0x3c, 0x2f, 0x41, 0x3e, + 0x3c, 0x2f, 0x41, 0x44, 0x44, 0x52, 0x45, 0x53, + 0x53, 0x3e, 0x0a, 0x3c, 0x2f, 0x42, 0x4f, 0x44, + 0x59, 0x3e, 0x3c, 0x2f, 0x48, 0x54, 0x4d, 0x4c, + 0x3e, 0x0a + }; + + uint8_t pkt7[] = { + 0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13, + 0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00, + 0x00, 0x34, 0xc2, 0x29, 0x40, 0x00, 0x40, 0x06, + 0xf4, 0x6c, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8, + 0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51, + 0x83, 0x94, 0x21, 0x04, 0x8d, 0x8e, 0x80, 0x10, + 0x00, 0x36, 0x59, 0xfa, 0x00, 0x00, 0x01, 0x01, + 0x08, 0x0a, 0x01, 0x72, 0x40, 0x9c, 0x01, 0x29, + 0x23, 0x6a + }; + + uint8_t pkt8[] = { + 0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a, + 0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00, + 0x00, 0x34, 0xa8, 0xbf, 0x40, 0x00, 0x40, 0x06, + 0x0d, 0xd7, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8, + 0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04, + 0x8d, 0x8e, 0x17, 0x51, 0x83, 0x94, 0x80, 0x11, + 0x00, 0x2d, 0x5a, 0x0b, 0x00, 0x00, 0x01, 0x01, + 0x08, 0x0a, 0x01, 0x29, 0x23, 0x6a, 0x01, 0x72, + 0x40, 0x93 + }; + + uint8_t pkt9[] = { + 0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13, + 0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00, + 0x00, 0x34, 0xc2, 0x2a, 0x40, 0x00, 0x40, 0x06, + 0xf4, 0x6b, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8, + 0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51, + 0x83, 0x94, 0x21, 0x04, 0x8d, 0x8f, 0x80, 0x10, + 0x00, 0x36, 0x59, 0xef, 0x00, 0x00, 0x01, 0x01, + 0x08, 0x0a, 0x01, 0x72, 0x40, 0xa6, 0x01, 0x29, + 0x23, 0x6a + }; + + uint8_t pkt10[] = { + 0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13, + 0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00, + 0x00, 0x34, 0xc2, 0x2b, 0x40, 0x00, 0x40, 0x06, + 0xf4, 0x6a, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8, + 0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51, + 0x83, 0x94, 0x21, 0x04, 0x8d, 0x8f, 0x80, 0x11, + 0x00, 0x36, 0x57, 0x0a, 0x00, 0x00, 0x01, 0x01, + 0x08, 0x0a, 0x01, 0x72, 0x43, 0x8a, 0x01, 0x29, + 0x23, 0x6a + }; + + uint8_t pkt11[] = { + 0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a, + 0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00, + 0x00, 0x34, 0x10, 0xaf, 0x40, 0x00, 0x40, 0x06, + 0xa5, 0xe7, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8, + 0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04, + 0x8d, 0x8f, 0x17, 0x51, 0x83, 0x95, 0x80, 0x10, + 0x00, 0x2d, 0x54, 0xbb, 0x00, 0x00, 0x01, 0x01, + 0x08, 0x0a, 0x01, 0x29, 0x25, 0xc2, 0x01, 0x72, + 0x43, 0x8a + }; + + uint8_t *pkts[] = { + pkt1, pkt2, pkt3, pkt4, pkt5, pkt6, pkt7, pkt8, + pkt9, pkt10, pkt11 + }; + + uint16_t pktssizes[] = { + sizeof(pkt1), sizeof(pkt2), sizeof(pkt3), sizeof(pkt4), sizeof(pkt5), + sizeof(pkt6), sizeof(pkt7), sizeof(pkt8), sizeof(pkt9), sizeof(pkt10), + sizeof(pkt11) + }; + + Packet p; + DecodeThreadVars dtv; + + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + + memset(&dtv, 0, sizeof(DecodeThreadVars)); + memset(&th_v, 0, sizeof(th_v)); + + FlowInitConfig(FLOW_QUIET); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->flags |= DE_QUIET; + + /* Now that we have the array of packets for the flow, prepare the signatures */ + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Setting a flowint counter\"; content:\"GET\"; flowint: myvar, notset; flowint:maxvar,notset; flowint: myvar,=,1; flowint: maxvar,=,6; sid:101;)"); + + de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Adding to flowint counter\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: myvar,+,2; sid:102;)"); + + de_ctx->sig_list->next->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"if the flowint counter is 3 create a new counter\"; content:\"Unauthorized\"; flowint: myvar, isset; flowint: myvar,==,3; flowint:cntpackets,notset; flowint: cntpackets, =, 0; sid:103;)"); + + de_ctx->sig_list->next->next->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"and count the rest of the packets received without generating alerts!!!\"; flowint: cntpackets,isset; flowint: cntpackets, +, 1; noalert;sid:104;)"); + + /* comparation of myvar with maxvar */ + de_ctx->sig_list->next->next->next->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\" and fire this when it reach 6\"; flowint: cntpackets, isset; flowint: maxvar,isset; flowint: cntpackets, ==, maxvar; sid:105;)"); + + /* I know it's a bit ugly, */ + de_ctx->sig_list->next->next->next->next->next = NULL; + + SigGroupBuild(de_ctx); + //PatternMatchPrepare(mpm_ctx, MPM_B2G); + DetectEngineThreadCtxInit(&th_v,(void *) de_ctx,(void *) &det_ctx); + + /* Get the idx of the vars we are going to track */ + uint16_t idx1, idx2; + idx1 = VariableNameGetIdx(det_ctx->de_ctx, "myvar", DETECT_FLOWINT); + idx2 = VariableNameGetIdx(det_ctx->de_ctx, "cntpackets", DETECT_FLOWINT); + + int i; + + /* Decode the packets, and test the matches*/ + for (i = 0;i < 11;i++) { + memset(&p, 0, sizeof(Packet)); + DecodeEthernet(&th_v, &dtv, &p, pkts[i], pktssizes[i], NULL); + + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + switch(i) { + case 3: + if (PacketAlertCheck(&p, 101) == 0) { + SCLogDebug("Not declared/initialized!"); + result = 0; + } + break; + case 5: + if (PacketAlertCheck(&p, 102) == 0) { + SCLogDebug("Not incremented!"); + result = 0; + } + + if (PacketAlertCheck(&p, 103) == 0) { + SCLogDebug("myvar is not 3 or bad cmp!!"); + result = 0; + } + break; + case 10: + if (PacketAlertCheck(&p, 105) == 0) { + SCLogDebug("Not declared/initialized/or well incremented the" + " second var!"); + result = 0; + } + break; + } + SCLogDebug("Raw Packet %d has %u alerts ", i, p.alerts.cnt); + } + + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx); + //PatternMatchDestroy(mpm_ctx); + DetectEngineCtxFree(de_ctx); + FlowShutdown(); + + return result; + +end: + if (de_ctx) { + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + } + if (det_ctx) + DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx); + //PatternMatchDestroy(mpm_ctx); + if (de_ctx) + DetectEngineCtxFree(de_ctx); + + FlowShutdown(); + return result; +} + +/** + * \test DetectFlowintTestPacket03Real + * \brief Check the behaviour of isset/notset + */ +int DetectFlowintTestPacket03Real() +{ + int result = 1; + + uint8_t pkt1[] = { + 0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13, + 0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00, + 0x00, 0x3c, 0xc2, 0x26, 0x40, 0x00, 0x40, 0x06, + 0xf4, 0x67, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8, + 0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51, + 0x82, 0xb5, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, + 0x16, 0xd0, 0xe8, 0xb0, 0x00, 0x00, 0x02, 0x04, + 0x05, 0xb4, 0x04, 0x02, 0x08, 0x0a, 0x01, 0x72, + 0x40, 0x93, 0x00, 0x00, 0x00, 0x00, 0x01, 0x03, + 0x03, 0x07 + }; + + uint8_t pkt2[] = { + 0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a, + 0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00, + 0x00, 0x3c, 0x00, 0x00, 0x40, 0x00, 0x40, 0x06, + 0xb6, 0x8e, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8, + 0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04, + 0x8b, 0xdd, 0x17, 0x51, 0x82, 0xb6, 0xa0, 0x12, + 0x16, 0x80, 0x17, 0x8a, 0x00, 0x00, 0x02, 0x04, + 0x05, 0xac, 0x04, 0x02, 0x08, 0x0a, 0x01, 0x29, + 0x23, 0x63, 0x01, 0x72, 0x40, 0x93, 0x01, 0x03, + 0x03, 0x07 + }; + + uint8_t pkt3[] = { + 0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13, + 0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00, + 0x00, 0x34, 0xc2, 0x27, 0x40, 0x00, 0x40, 0x06, + 0xf4, 0x6e, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8, + 0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51, + 0x82, 0xb6, 0x21, 0x04, 0x8b, 0xde, 0x80, 0x10, + 0x00, 0x2e, 0x5c, 0xa0, 0x00, 0x00, 0x01, 0x01, + 0x08, 0x0a, 0x01, 0x72, 0x40, 0x93, 0x01, 0x29, + 0x23, 0x63 + }; + + uint8_t pkt4[] = { + 0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13, + 0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00, + 0x01, 0x12, 0xc2, 0x28, 0x40, 0x00, 0x40, 0x06, + 0xf3, 0x8f, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8, + 0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51, + 0x82, 0xb6, 0x21, 0x04, 0x8b, 0xde, 0x80, 0x18, + 0x00, 0x2e, 0x24, 0x39, 0x00, 0x00, 0x01, 0x01, + 0x08, 0x0a, 0x01, 0x72, 0x40, 0x93, 0x01, 0x29, + 0x23, 0x63, 0x47, 0x45, 0x54, 0x20, 0x2f, 0x20, + 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x30, + 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20, + 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, + 0x31, 0x2e, 0x31, 0x0d, 0x0a, 0x41, 0x63, 0x63, + 0x65, 0x70, 0x74, 0x3a, 0x20, 0x74, 0x65, 0x78, + 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x2c, 0x20, + 0x74, 0x65, 0x78, 0x74, 0x2f, 0x70, 0x6c, 0x61, + 0x69, 0x6e, 0x2c, 0x20, 0x74, 0x65, 0x78, 0x74, + 0x2f, 0x63, 0x73, 0x73, 0x2c, 0x20, 0x74, 0x65, + 0x78, 0x74, 0x2f, 0x73, 0x67, 0x6d, 0x6c, 0x2c, + 0x20, 0x2a, 0x2f, 0x2a, 0x3b, 0x71, 0x3d, 0x30, + 0x2e, 0x30, 0x31, 0x0d, 0x0a, 0x41, 0x63, 0x63, + 0x65, 0x70, 0x74, 0x2d, 0x45, 0x6e, 0x63, 0x6f, + 0x64, 0x69, 0x6e, 0x67, 0x3a, 0x20, 0x67, 0x7a, + 0x69, 0x70, 0x2c, 0x20, 0x62, 0x7a, 0x69, 0x70, + 0x32, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, + 0x74, 0x2d, 0x4c, 0x61, 0x6e, 0x67, 0x75, 0x61, + 0x67, 0x65, 0x3a, 0x20, 0x65, 0x6e, 0x0d, 0x0a, + 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, + 0x6e, 0x74, 0x3a, 0x20, 0x4c, 0x79, 0x6e, 0x78, + 0x2f, 0x32, 0x2e, 0x38, 0x2e, 0x36, 0x72, 0x65, + 0x6c, 0x2e, 0x34, 0x20, 0x6c, 0x69, 0x62, 0x77, + 0x77, 0x77, 0x2d, 0x46, 0x4d, 0x2f, 0x32, 0x2e, + 0x31, 0x34, 0x20, 0x53, 0x53, 0x4c, 0x2d, 0x4d, + 0x4d, 0x2f, 0x31, 0x2e, 0x34, 0x2e, 0x31, 0x20, + 0x47, 0x4e, 0x55, 0x54, 0x4c, 0x53, 0x2f, 0x32, + 0x2e, 0x30, 0x2e, 0x34, 0x0d, 0x0a, 0x0d, 0x0a + }; + + uint8_t pkt5[] = { + 0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a, + 0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00, + 0x00, 0x34, 0xa8, 0xbd, 0x40, 0x00, 0x40, 0x06, + 0x0d, 0xd9, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8, + 0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04, + 0x8b, 0xde, 0x17, 0x51, 0x83, 0x94, 0x80, 0x10, + 0x00, 0x2d, 0x5b, 0xc3, 0x00, 0x00, 0x01, 0x01, + 0x08, 0x0a, 0x01, 0x29, 0x23, 0x63, 0x01, 0x72, + 0x40, 0x93 + }; + + uint8_t pkt6[] = { + 0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a, + 0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00, + 0x01, 0xe4, 0xa8, 0xbe, 0x40, 0x00, 0x40, 0x06, + 0x0c, 0x28, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8, + 0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04, + 0x8b, 0xde, 0x17, 0x51, 0x83, 0x94, 0x80, 0x18, + 0x00, 0x2d, 0x1b, 0x84, 0x00, 0x00, 0x01, 0x01, + 0x08, 0x0a, 0x01, 0x29, 0x23, 0x6a, 0x01, 0x72, + 0x40, 0x93, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, + 0x2e, 0x31, 0x20, 0x34, 0x30, 0x31, 0x20, 0x55, + 0x6e, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, + 0x7a, 0x65, 0x64, 0x0d, 0x0a, 0x53, 0x65, 0x72, + 0x76, 0x65, 0x72, 0x3a, 0x20, 0x6d, 0x69, 0x63, + 0x72, 0x6f, 0x5f, 0x68, 0x74, 0x74, 0x70, 0x64, + 0x0d, 0x0a, 0x43, 0x61, 0x63, 0x68, 0x65, 0x2d, + 0x43, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x3a, + 0x20, 0x6e, 0x6f, 0x2d, 0x63, 0x61, 0x63, 0x68, + 0x65, 0x0d, 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, + 0x20, 0x57, 0x65, 0x64, 0x2c, 0x20, 0x31, 0x34, + 0x20, 0x4f, 0x63, 0x74, 0x20, 0x32, 0x30, 0x30, + 0x39, 0x20, 0x31, 0x33, 0x3a, 0x34, 0x39, 0x3a, + 0x35, 0x33, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, + 0x57, 0x57, 0x57, 0x2d, 0x41, 0x75, 0x74, 0x68, + 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, + 0x3a, 0x20, 0x42, 0x61, 0x73, 0x69, 0x63, 0x20, + 0x72, 0x65, 0x61, 0x6c, 0x6d, 0x3d, 0x22, 0x44, + 0x53, 0x4c, 0x20, 0x52, 0x6f, 0x75, 0x74, 0x65, + 0x72, 0x22, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, + 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, + 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, + 0x74, 0x6d, 0x6c, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, + 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, + 0x20, 0x63, 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, + 0x0d, 0x0a, 0x3c, 0x48, 0x54, 0x4d, 0x4c, 0x3e, + 0x3c, 0x48, 0x45, 0x41, 0x44, 0x3e, 0x3c, 0x54, + 0x49, 0x54, 0x4c, 0x45, 0x3e, 0x34, 0x30, 0x31, + 0x20, 0x55, 0x6e, 0x61, 0x75, 0x74, 0x68, 0x6f, + 0x72, 0x69, 0x7a, 0x65, 0x64, 0x3c, 0x2f, 0x54, + 0x49, 0x54, 0x4c, 0x45, 0x3e, 0x3c, 0x2f, 0x48, + 0x45, 0x41, 0x44, 0x3e, 0x0a, 0x3c, 0x42, 0x4f, + 0x44, 0x59, 0x20, 0x42, 0x47, 0x43, 0x4f, 0x4c, + 0x4f, 0x52, 0x3d, 0x22, 0x23, 0x63, 0x63, 0x39, + 0x39, 0x39, 0x39, 0x22, 0x3e, 0x3c, 0x48, 0x34, + 0x3e, 0x34, 0x30, 0x31, 0x20, 0x55, 0x6e, 0x61, + 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, + 0x64, 0x3c, 0x2f, 0x48, 0x34, 0x3e, 0x0a, 0x41, + 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x72, 0x65, 0x71, + 0x75, 0x69, 0x72, 0x65, 0x64, 0x2e, 0x0a, 0x3c, + 0x48, 0x52, 0x3e, 0x0a, 0x3c, 0x41, 0x44, 0x44, + 0x52, 0x45, 0x53, 0x53, 0x3e, 0x3c, 0x41, 0x20, + 0x48, 0x52, 0x45, 0x46, 0x3d, 0x22, 0x68, 0x74, + 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, + 0x2e, 0x61, 0x63, 0x6d, 0x65, 0x2e, 0x63, 0x6f, + 0x6d, 0x2f, 0x73, 0x6f, 0x66, 0x74, 0x77, 0x61, + 0x72, 0x65, 0x2f, 0x6d, 0x69, 0x63, 0x72, 0x6f, + 0x5f, 0x68, 0x74, 0x74, 0x70, 0x64, 0x2f, 0x22, + 0x3e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x5f, 0x68, + 0x74, 0x74, 0x70, 0x64, 0x3c, 0x2f, 0x41, 0x3e, + 0x3c, 0x2f, 0x41, 0x44, 0x44, 0x52, 0x45, 0x53, + 0x53, 0x3e, 0x0a, 0x3c, 0x2f, 0x42, 0x4f, 0x44, + 0x59, 0x3e, 0x3c, 0x2f, 0x48, 0x54, 0x4d, 0x4c, + 0x3e, 0x0a + }; + + uint8_t pkt7[] = { + 0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13, + 0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00, + 0x00, 0x34, 0xc2, 0x29, 0x40, 0x00, 0x40, 0x06, + 0xf4, 0x6c, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8, + 0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51, + 0x83, 0x94, 0x21, 0x04, 0x8d, 0x8e, 0x80, 0x10, + 0x00, 0x36, 0x59, 0xfa, 0x00, 0x00, 0x01, 0x01, + 0x08, 0x0a, 0x01, 0x72, 0x40, 0x9c, 0x01, 0x29, + 0x23, 0x6a + }; + + uint8_t pkt8[] = { + 0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a, + 0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00, + 0x00, 0x34, 0xa8, 0xbf, 0x40, 0x00, 0x40, 0x06, + 0x0d, 0xd7, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8, + 0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04, + 0x8d, 0x8e, 0x17, 0x51, 0x83, 0x94, 0x80, 0x11, + 0x00, 0x2d, 0x5a, 0x0b, 0x00, 0x00, 0x01, 0x01, + 0x08, 0x0a, 0x01, 0x29, 0x23, 0x6a, 0x01, 0x72, + 0x40, 0x93 + }; + + uint8_t pkt9[] = { + 0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13, + 0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00, + 0x00, 0x34, 0xc2, 0x2a, 0x40, 0x00, 0x40, 0x06, + 0xf4, 0x6b, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8, + 0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51, + 0x83, 0x94, 0x21, 0x04, 0x8d, 0x8f, 0x80, 0x10, + 0x00, 0x36, 0x59, 0xef, 0x00, 0x00, 0x01, 0x01, + 0x08, 0x0a, 0x01, 0x72, 0x40, 0xa6, 0x01, 0x29, + 0x23, 0x6a + }; + + uint8_t pkt10[] = { + 0x00, 0x1a, 0x2b, 0x19, 0x52, 0xa8, 0x00, 0x13, + 0x20, 0x65, 0x1a, 0x9e, 0x08, 0x00, 0x45, 0x00, + 0x00, 0x34, 0xc2, 0x2b, 0x40, 0x00, 0x40, 0x06, + 0xf4, 0x6a, 0xc0, 0xa8, 0x01, 0xdc, 0xc0, 0xa8, + 0x01, 0x01, 0xe7, 0xf5, 0x00, 0x50, 0x17, 0x51, + 0x83, 0x94, 0x21, 0x04, 0x8d, 0x8f, 0x80, 0x11, + 0x00, 0x36, 0x57, 0x0a, 0x00, 0x00, 0x01, 0x01, + 0x08, 0x0a, 0x01, 0x72, 0x43, 0x8a, 0x01, 0x29, + 0x23, 0x6a + }; + + uint8_t pkt11[] = { + 0x00, 0x13, 0x20, 0x65, 0x1a, 0x9e, 0x00, 0x1a, + 0x2b, 0x19, 0x52, 0xa8, 0x08, 0x00, 0x45, 0x00, + 0x00, 0x34, 0x10, 0xaf, 0x40, 0x00, 0x40, 0x06, + 0xa5, 0xe7, 0xc0, 0xa8, 0x01, 0x01, 0xc0, 0xa8, + 0x01, 0xdc, 0x00, 0x50, 0xe7, 0xf5, 0x21, 0x04, + 0x8d, 0x8f, 0x17, 0x51, 0x83, 0x95, 0x80, 0x10, + 0x00, 0x2d, 0x54, 0xbb, 0x00, 0x00, 0x01, 0x01, + 0x08, 0x0a, 0x01, 0x29, 0x25, 0xc2, 0x01, 0x72, + 0x43, 0x8a + }; + + uint8_t *pkts[] = { + pkt1, pkt2, pkt3, pkt4, pkt5, pkt6, pkt7, pkt8, + pkt9, pkt10, pkt11 + }; + + uint16_t pktssizes[] = { + sizeof(pkt1), sizeof(pkt2), sizeof(pkt3), sizeof(pkt4), sizeof(pkt5), + sizeof(pkt6), sizeof(pkt7), sizeof(pkt8), sizeof(pkt9), sizeof(pkt10), + sizeof(pkt11) + }; + + Packet p; + DecodeThreadVars dtv; + + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + + memset(&dtv, 0, sizeof(DecodeThreadVars)); + memset(&th_v, 0, sizeof(th_v)); + + FlowInitConfig(FLOW_QUIET); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->flags |= DE_QUIET; + + /* Now that we have the array of packets for the flow, prepare the signatures */ + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"check notset\"; content:\"GET\"; flowint: myvar, notset; flowint: myvar,=,0; flowint: other,=,10; sid:101;)"); + + de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"check isset\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: other,isset; sid:102;)"); + + de_ctx->sig_list->next->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"check notset\"; content:\"Unauthorized\"; flowint:lala,isset; sid:103;)"); + + de_ctx->sig_list->next->next->next = NULL; + + SigGroupBuild(de_ctx); + //PatternMatchPrepare(mpm_ctx, MPM_B2G); + DetectEngineThreadCtxInit(&th_v,(void *) de_ctx,(void *) &det_ctx); + + /* Get the idx of the vars we are going to track */ + uint16_t idx1, idx2; + idx1 = VariableNameGetIdx(det_ctx->de_ctx, "myvar", DETECT_FLOWINT); + idx2 = VariableNameGetIdx(det_ctx->de_ctx, "cntpackets", DETECT_FLOWINT); + + int i; + + /* Decode the packets, and test the matches*/ + for (i = 0;i < 11;i++) { + memset(&p, 0, sizeof(Packet)); + DecodeEthernet(&th_v, &dtv, &p, pkts[i], pktssizes[i], NULL); + + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + + switch(i) { + case 3: + if (PacketAlertCheck(&p, 101) == 0) { + SCLogDebug("Not declared/initialized but match!"); + result = 0; + } + if (PacketAlertCheck(&p, 103) != 0) { + SCLogDebug(" var lala is never set, it should NOT match!!"); + result = 0; + } + break; + case 5: + if (PacketAlertCheck(&p, 102) == 0) { + SCLogDebug("Not incremented!"); + result = 0; + } + + if (PacketAlertCheck(&p, 103) != 0) { + SCLogDebug(" var lala is never set, it should NOT match!!"); + result = 0; + } + break; + } + SCLogDebug("Raw Packet %d has %u alerts ", i, p.alerts.cnt); + } + + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx); + //PatternMatchDestroy(mpm_ctx); + DetectEngineCtxFree(de_ctx); + FlowShutdown(); + + return result; + +end: + if (de_ctx) { + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + } + if (det_ctx) + DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx); + //PatternMatchDestroy(mpm_ctx); + if (de_ctx) + DetectEngineCtxFree(de_ctx); + + FlowShutdown(); + return result; +} #endif /* UNITTESTS */ /** * \brief this function registers unit tests for DetectFlowint */ -void DetectFlowintRegisterTests (void) +void DetectFlowintRegisterTests(void) { #ifdef UNITTESTS /* UNITTESTS */ - UtRegisterTest ("DetectFlowintTestParseVal01", + UtRegisterTest("DetectFlowintTestParseVal01", DetectFlowintTestParseVal01, 1); - UtRegisterTest ("DetectFlowintTestParseVar01", + UtRegisterTest("DetectFlowintTestParseVar01", DetectFlowintTestParseVar01, 1); - UtRegisterTest ("DetectFlowintTestParseVal02", + UtRegisterTest("DetectFlowintTestParseVal02", DetectFlowintTestParseVal02, 1); - UtRegisterTest ("DetectFlowintTestParseVar02", + UtRegisterTest("DetectFlowintTestParseVar02", DetectFlowintTestParseVar02, 1); - UtRegisterTest ("DetectFlowintTestParseVal03", + UtRegisterTest("DetectFlowintTestParseVal03", DetectFlowintTestParseVal03, 1); - UtRegisterTest ("DetectFlowintTestParseVar03", + UtRegisterTest("DetectFlowintTestParseVar03", DetectFlowintTestParseVar03, 1); - UtRegisterTest ("DetectFlowintTestParseVal04", + UtRegisterTest("DetectFlowintTestParseVal04", DetectFlowintTestParseVal04, 1); - UtRegisterTest ("DetectFlowintTestParseVar04", + UtRegisterTest("DetectFlowintTestParseVar04", DetectFlowintTestParseVar04, 1); - UtRegisterTest ("DetectFlowintTestParseVal05", + UtRegisterTest("DetectFlowintTestParseVal05", DetectFlowintTestParseVal05, 1); - UtRegisterTest ("DetectFlowintTestParseVar05", + UtRegisterTest("DetectFlowintTestParseVar05", DetectFlowintTestParseVar05, 1); - UtRegisterTest ("DetectFlowintTestParseVal06", + UtRegisterTest("DetectFlowintTestParseVal06", DetectFlowintTestParseVal06, 1); - UtRegisterTest ("DetectFlowintTestParseVar06", + UtRegisterTest("DetectFlowintTestParseVar06", DetectFlowintTestParseVar06, 1); - UtRegisterTest ("DetectFlowintTestParseVal07", + UtRegisterTest("DetectFlowintTestParseVal07", DetectFlowintTestParseVal07, 1); - UtRegisterTest ("DetectFlowintTestParseVar07", + UtRegisterTest("DetectFlowintTestParseVar07", DetectFlowintTestParseVar07, 1); - UtRegisterTest ("DetectFlowintTestParseVal08", + UtRegisterTest("DetectFlowintTestParseVal08", DetectFlowintTestParseVal08, 1); - UtRegisterTest ("DetectFlowintTestParseVar08", + UtRegisterTest("DetectFlowintTestParseVar08", DetectFlowintTestParseVar08, 1); - UtRegisterTest ("DetectFlowintTestParseVal09", + UtRegisterTest("DetectFlowintTestParseVal09", DetectFlowintTestParseVal09, 1); - UtRegisterTest ("DetectFlowintTestParseVar09", + UtRegisterTest("DetectFlowintTestParseVar09", DetectFlowintTestParseVar09, 1); - UtRegisterTest ("DetectFlowintTestParseIsset10", + UtRegisterTest("DetectFlowintTestParseIsset10", DetectFlowintTestParseIsset10, 1); - UtRegisterTest ("DetectFlowintTestParseInvalidSyntaxis01", + UtRegisterTest("DetectFlowintTestParseInvalidSyntaxis01", DetectFlowintTestParseInvalidSyntaxis01, 1); - UtRegisterTest ("DetectFlowintTestPacket01Real", + UtRegisterTest("DetectFlowintTestPacket01Real", DetectFlowintTestPacket01Real, 1); + UtRegisterTest("DetectFlowintTestPacket02Real", + DetectFlowintTestPacket02Real, 1); + UtRegisterTest("DetectFlowintTestPacket03Real", + DetectFlowintTestPacket03Real, 1); #endif /* UNITTESTS */ } diff --git a/src/detect-flowint.h b/src/detect-flowint.h index e6e9706526..fac89fe73f 100644 --- a/src/detect-flowint.h +++ b/src/detect-flowint.h @@ -15,8 +15,9 @@ enum { FLOWINT_MODIFIER_NE, FLOWINT_MODIFIER_GE, FLOWINT_MODIFIER_GT, - /** Checking if a var isset (keyword isset)*/ - FLOWINT_MODIFIER_IS, + /** Checking if a var is set (keyword isset/notset)*/ + FLOWINT_MODIFIER_ISSET, + FLOWINT_MODIFIER_NOTSET, FLOWINT_MODIFIER_UNKNOWN }; @@ -37,17 +38,22 @@ typedef struct TargetVar_ { /** Context data for flowint vars */ typedef struct DetectFlowintData_ { - char *name; /* This is the main var we are going to use - * against the target */ + /* This is the main var we are going to use + * against the target */ + char *name; + /* Internal id of the var */ uint16_t idx; - uint8_t modifier; /* The modifier/operation/condition we are - * going to execute */ - + /* The modifier/operation/condition we are + * going to execute */ + uint8_t modifier; uint8_t targettype; + union { - uint32_t value; /* the target value */ - TargetVar tvar; /* or the target var */ + /* the target value */ + uint32_t value; + /* or the target var */ + TargetVar tvar; } target; } DetectFlowintData; diff --git a/src/flow-var.c b/src/flow-var.c index c09d0219cb..deff87f552 100644 --- a/src/flow-var.c +++ b/src/flow-var.c @@ -124,10 +124,11 @@ void FlowVarPrint(GenericVar *gv) { printf("\\%02X", fv->data.fv_str.value[i]); } printf("\", Len \"%" PRIu32 "\"\n", fv->data.fv_str.value_len); - } - if (fv->datatype == FLOWVAR_TYPE_INT) { + } else if (fv->datatype == FLOWVAR_TYPE_INT) { printf("Name idx \"%" PRIu32 "\", Value \"%" PRIu32 "\"", fv->idx, fv->data.fv_int.value); + } else { + printf("Unknown data type at flowvars\n"); } } FlowVarPrint(gv->next); diff --git a/src/flow-var.h b/src/flow-var.h index 71ce8bd83f..2ed8c708f2 100644 --- a/src/flow-var.h +++ b/src/flow-var.h @@ -1,5 +1,11 @@ -/* Copyright (c) 2008 Victor Julien */ -/* Copyright (c) 2009 Pablo Rincon */ +/** Copyright(c) 2009 Open Information Security Foundation. + * + * \author Victor Julien + * \author Pablo Rincon + * + * Flow level variable support for complex detection rules + * Supported types atm are String and Integers + */ #ifndef __FLOW_VAR_H__ #define __FLOW_VAR_H__ diff --git a/src/util-var-name.c b/src/util-var-name.c index e24f2dde86..65e7333a3f 100644 --- a/src/util-var-name.c +++ b/src/util-var-name.c @@ -104,27 +104,3 @@ error: return 0; } -/** We need to use this at flowints/flowvars - * Need to support options "isset" and "!isset" - * return 0 if not set, the idx if it's set */ -uint8_t VariableNameIsSet(DetectEngineCtx *de_ctx, char *name, uint8_t type) { - VariableName *fn = malloc(sizeof(VariableName)); - uint8_t result = 0; - if (fn == NULL) - goto end; - - memset(fn, 0, sizeof(VariableName)); - - fn->type = type; - fn->name = strdup(name); - if (fn->name == NULL) - goto end; - - VariableName *lookup_fn = (VariableName *)HashListTableLookup(de_ctx->variable_names, (void *)fn, 0); - if (lookup_fn != NULL) - result = lookup_fn->idx; - -end: - VariableNameFree(fn); - return result; -}