aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords

Browse Source
remotes/origin/master-1.1.x
Anoop Saldanha 14 years ago committed by Victor Julien
parent 18da4a8b73
commit ed3b44b3b5
35 changed files with 1292 additions and 1230 deletions
Show Stats Download Patch File Download Diff File

4
src/alert-fastlog.c
Unescape Escape View File

@ -438,7 +438,7 @@ int AlertFastLogTest01()
SCClassConfDeleteDummyClassificationConfigFD();
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"FastLog test\"; content:GET; "
"(msg:\"FastLog test\"; content:\"GET\"; "
"Classtype:unknown; sid:1;)");
result = (de_ctx->sig_list != NULL);
@ -494,7 +494,7 @@ int AlertFastLogTest02()
SCClassConfDeleteDummyClassificationConfigFD();
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"FastLog test\"; content:GET; "
"(msg:\"FastLog test\"; content:\"GET\"; "
"Classtype:unknown; sid:1;)");
result = (de_ctx->sig_list != NULL);
if (result == 0)

2
src/app-layer-detect-proto.c
Unescape Escape View File

@ -204,7 +204,7 @@ end:
* \param flags Set STREAM_TOCLIENT or STREAM_TOSERVER for the direction in which to try to match the content.
*/
void AlpProtoAdd(AlpProtoDetectCtx *ctx, uint16_t ip_proto, uint16_t al_proto, char *content, uint16_t depth, uint16_t offset, uint8_t flags) {
DetectContentData *cd = DetectContentParse(content);
DetectContentData *cd = DetectContentParseEncloseQuotes(content);
if (cd == NULL) {
return;
}

4
src/cuda-packet-batcher.c
Unescape Escape View File

@ -1193,7 +1193,7 @@ int SCCudaPBTest01(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:test; sid:1;)");
"content:\"test\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("signature parsing failed\n");
goto end;
@ -1425,7 +1425,7 @@ int SCCudaPBTest02(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any 5555 -> any any (msg:\"Bamboo\"; "
"content:test; sid:1;)");
"content:\"test\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("signature parsing failed\n");
goto end;

96
src/detect-byte-extract.c
Unescape Escape View File

@ -1489,7 +1489,7 @@ int DetectByteExtractTest34(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,2,two,relative,string,hex; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
@ -1566,7 +1566,7 @@ int DetectByteExtractTest35(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; pcre:/asf/; "
"content:\"one\"; pcre:/asf/; "
"byte_extract:4,0,two,relative,string,hex; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
@ -1654,7 +1654,7 @@ int DetectByteExtractTest36(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; byte_jump:1,13; "
"content:\"one\"; byte_jump:1,13; "
"byte_extract:4,0,two,relative,string,hex; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
@ -1742,7 +1742,7 @@ int DetectByteExtractTest37(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; uricontent:two; "
"content:\"one\"; uricontent:\"two\"; "
"byte_extract:4,0,two,relative,string,hex; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
@ -1843,7 +1843,7 @@ int DetectByteExtractTest38(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; uricontent:two; "
"content:\"one\"; uricontent:\"two\"; "
"byte_extract:4,0,two,string,hex; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
@ -1943,7 +1943,7 @@ int DetectByteExtractTest39(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; content:two; http_uri; "
"content:\"one\"; content:\"two\"; http_uri; "
"byte_extract:4,0,two,relative,string,hex; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
@ -2044,7 +2044,7 @@ int DetectByteExtractTest40(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; content:two; http_uri; "
"content:\"one\"; content:\"two\"; http_uri; "
"byte_extract:4,0,two,string,hex; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
@ -2143,7 +2143,7 @@ int DetectByteExtractTest41(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex; "
"byte_extract:4,0,three,string,hex; "
"sid:1;)");
@ -2245,9 +2245,9 @@ int DetectByteExtractTest42(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex; "
"uricontent: three; "
"uricontent: \"three\"; "
"byte_extract:4,0,four,string,hex,relative; "
"byte_extract:4,0,five,string,hex; "
"sid:1;)");
@ -2421,9 +2421,9 @@ int DetectByteExtractTest43(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex; "
"content: three; offset:two; "
"content: \"three\"; offset:two; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -2520,11 +2520,11 @@ int DetectByteExtractTest44(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex; "
"byte_extract:4,0,three,string,hex; "
"content: four; offset:two; "
"content: five; offset:three; "
"content: \"four\"; offset:two; "
"content: \"five\"; offset:three; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -2671,9 +2671,9 @@ int DetectByteExtractTest45(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex; "
"content: three; depth:two; "
"content: \"three\"; depth:two; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -2771,11 +2771,11 @@ int DetectByteExtractTest46(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex; "
"byte_extract:4,0,three,string,hex; "
"content: four; depth:two; "
"content: five; depth:three; "
"content: \"four\"; depth:two; "
"content: \"five\"; depth:three; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -2919,9 +2919,9 @@ int DetectByteExtractTest47(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex; "
"content: three; distance:two; "
"content: \"three\"; distance:two; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -3020,11 +3020,11 @@ int DetectByteExtractTest48(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex; "
"byte_extract:4,0,three,string,hex; "
"content: four; distance:two; "
"content: five; distance:three; "
"content: \"four\"; distance:two; "
"content: \"five\"; distance:three; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -3173,9 +3173,9 @@ int DetectByteExtractTest49(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex; "
"content: three; within:two; "
"content: \"three\"; within:two; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -3275,11 +3275,11 @@ int DetectByteExtractTest50(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex; "
"byte_extract:4,0,three,string,hex; "
"content: four; within:two; "
"content: five; within:three; "
"content: \"four\"; within:two; "
"content: \"five\"; within:three; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -3438,7 +3438,7 @@ int DetectByteExtractTest51(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex; "
"byte_test: 2,=,10, two; "
"sid:1;)");
@ -3537,7 +3537,7 @@ int DetectByteExtractTest52(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex; "
"byte_extract:4,0,three,string,hex; "
"byte_test: 2,=,two,three; "
@ -3678,7 +3678,7 @@ int DetectByteExtractTest53(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex; "
"byte_jump: 2,two; "
"sid:1;)");
@ -3776,7 +3776,7 @@ int DetectByteExtractTest54(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex; "
"byte_extract:4,0,three,string,hex; "
"byte_jump: 2,two; "
@ -3897,12 +3897,12 @@ int DetectByteExtractTest55(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex; "
"byte_extract:4,0,three,string,hex; "
"byte_extract:4,0,four,string,hex; "
"byte_extract:4,0,five,string,hex; "
"content: four; within:two; distance:three; offset:four; depth:five; "
"content: \"four\"; within:two; distance:three; offset:four; depth:five; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -4032,13 +4032,13 @@ int DetectByteExtractTest56(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"uricontent:urione; "
"content:one; "
"uricontent:\"urione\"; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex; "
"byte_extract:4,0,three,string,hex; "
"byte_extract:4,0,four,string,hex; "
"byte_extract:4,0,five,string,hex; "
"content: four; within:two; distance:three; offset:four; depth:five; "
"content: \"four\"; within:two; distance:three; offset:four; depth:five; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -4190,13 +4190,13 @@ int DetectByteExtractTest57(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"uricontent: urione; "
"content:\"one\"; "
"uricontent: \"urione\"; "
"byte_extract:4,0,two,string,hex,relative; "
"byte_extract:4,0,three,string,hex,relative; "
"byte_extract:4,0,four,string,hex,relative; "
"byte_extract:4,0,five,string,hex,relative; "
"uricontent: four; within:two; distance:three; offset:four; depth:five; "
"uricontent: \"four\"; within:two; distance:three; offset:four; depth:five; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -4361,7 +4361,7 @@ int DetectByteExtractTest58(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex; "
"byte_extract:4,0,three,string,hex; "
"byte_jump: 2,two; "
@ -4496,7 +4496,7 @@ int DetectByteExtractTest59(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex; "
"byte_extract:4,0,three,string,hex; "
"byte_jump: 2,two; "
@ -4630,9 +4630,9 @@ int DetectByteExtractTest60(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex,relative; "
"uricontent: three; "
"uricontent: \"three\"; "
"byte_extract:4,0,four,string,hex,relative; "
"isdataat: two; "
"sid:1;)");
@ -4773,9 +4773,9 @@ int DetectByteExtractTest61(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex,relative; "
"uricontent: three; "
"uricontent: \"three\"; "
"byte_extract:4,0,four,string,hex,relative; "
"isdataat: four, relative; "
"sid:1;)");

20
src/detect-bytejump.c
Unescape Escape View File

@ -907,7 +907,7 @@ int DetectBytejumpTestParse10(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; distance:0; "
"content:\"one\"; distance:0; "
"byte_jump:4,0,align,multiplier 2, "
"post_offset -16,relative,dce; sid:1;)");
if (de_ctx->sig_list == NULL) {
@ -934,7 +934,7 @@ int DetectBytejumpTestParse10(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; distance:0; "
"content:\"one\"; distance:0; "
"byte_jump:4,0,align,multiplier 2, "
"post_offset -16,relative,dce; sid:1;)");
if (s->next == NULL) {
@ -961,7 +961,7 @@ int DetectBytejumpTestParse10(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; distance:0; "
"content:\"one\"; distance:0; "
"byte_jump:4,0,align,multiplier 2, "
"post_offset -16,relative; sid:1;)");
if (s->next == NULL) {
@ -1010,7 +1010,7 @@ int DetectBytejumpTestParse11(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; byte_jump:4,0,align,multiplier 2, "
"content:\"one\"; byte_jump:4,0,align,multiplier 2, "
"post_offset -16,string,dce; sid:1;)");
if (s != NULL) {
result = 0;
@ -1021,7 +1021,7 @@ int DetectBytejumpTestParse11(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_sub_data; "
"content:one; byte_jump:4,0,align,multiplier 2, "
"content:\"one\"; byte_jump:4,0,align,multiplier 2, "
"post_offset -16,big,dce; sid:1;)");
if (s != NULL) {
result = 0;
@ -1032,7 +1032,7 @@ int DetectBytejumpTestParse11(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; byte_jump:4,0,align,multiplier 2, "
"content:\"one\"; byte_jump:4,0,align,multiplier 2, "
"post_offset -16,little,dce; sid:1;)");
if (s != NULL) {
result = 0;
@ -1043,7 +1043,7 @@ int DetectBytejumpTestParse11(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; byte_jump:4,0,align,multiplier 2, "
"content:\"one\"; byte_jump:4,0,align,multiplier 2, "
"post_offset -16,string,hex,dce; sid:1;)");
if (s != NULL) {
result = 0;
@ -1054,7 +1054,7 @@ int DetectBytejumpTestParse11(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; byte_jump:4,0,align,multiplier 2, "
"content:\"one\"; byte_jump:4,0,align,multiplier 2, "
"post_offset -16,string,dec,dce; sid:1;)");
if (s != NULL) {
result = 0;
@ -1065,7 +1065,7 @@ int DetectBytejumpTestParse11(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; byte_jump:4,0,align,multiplier 2, "
"content:\"one\"; byte_jump:4,0,align,multiplier 2, "
"post_offset -16,string,oct,dce; sid:1;)");
if (s != NULL) {
result = 0;
@ -1076,7 +1076,7 @@ int DetectBytejumpTestParse11(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; byte_jump:4,0,align,multiplier 2, "
"content:\"one\"; byte_jump:4,0,align,multiplier 2, "
"post_offset -16,from_beginning,dce; sid:1;)");
if (s != NULL) {
result = 0;

28
src/detect-bytetest.c
Unescape Escape View File

@ -1173,7 +1173,7 @@ int DetectBytetestTestParse20(void)
"(msg:\"Testing bytetest_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; distance:0; "
"content:\"one\"; distance:0; "
"byte_test:1,=,1,6,relative,dce; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -1200,7 +1200,7 @@ int DetectBytetestTestParse20(void)
"(msg:\"Testing bytetest_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; distance:0; "
"content:\"one\"; distance:0; "
"byte_test:1,=,1,6,relative,dce; sid:1;)");
if (s->next == NULL) {
result = 0;
@ -1227,7 +1227,7 @@ int DetectBytetestTestParse20(void)
"(msg:\"Testing bytetest_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; distance:0; "
"content:\"one\"; distance:0; "
"byte_test:1,=,1,6,relative; sid:1;)");
if (s->next == NULL) {
result = 0;
@ -1275,7 +1275,7 @@ int DetectBytetestTestParse21(void)
s = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytetest_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"content:one; byte_test:1,=,1,6,string,dce; sid:1;)");
"content:\"one\"; byte_test:1,=,1,6,string,dce; sid:1;)");
if (s != NULL) {
result = 0;
goto end;
@ -1284,7 +1284,7 @@ int DetectBytetestTestParse21(void)
s = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytetest_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"content:one; byte_test:1,=,1,6,big,dce; sid:1;)");
"content:\"one\"; byte_test:1,=,1,6,big,dce; sid:1;)");
if (s != NULL) {
result = 0;
goto end;
@ -1293,7 +1293,7 @@ int DetectBytetestTestParse21(void)
s = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytetest_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"content:one; byte_test:1,=,1,6,little,dce; sid:1;)");
"content:\"one\"; byte_test:1,=,1,6,little,dce; sid:1;)");
if (s != NULL) {
result = 0;
goto end;
@ -1302,7 +1302,7 @@ int DetectBytetestTestParse21(void)
s = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytetest_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"content:one; byte_test:1,=,1,6,hex,dce; sid:1;)");
"content:\"one\"; byte_test:1,=,1,6,hex,dce; sid:1;)");
if (s != NULL) {
result = 0;
goto end;
@ -1311,7 +1311,7 @@ int DetectBytetestTestParse21(void)
s = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytetest_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"content:one; byte_test:1,=,1,6,dec,dce; sid:1;)");
"content:\"one\"; byte_test:1,=,1,6,dec,dce; sid:1;)");
if (s != NULL) {
result = 0;
goto end;
@ -1320,7 +1320,7 @@ int DetectBytetestTestParse21(void)
s = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytetest_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"content:one; byte_test:1,=,1,6,oct,dce; sid:1;)");
"content:\"one\"; byte_test:1,=,1,6,oct,dce; sid:1;)");
if (s != NULL) {
result = 0;
goto end;
@ -1329,7 +1329,7 @@ int DetectBytetestTestParse21(void)
s = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytetest_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"content:one; byte_test:1,=,1,6,string,hex,dce; sid:1;)");
"content:\"one\"; byte_test:1,=,1,6,string,hex,dce; sid:1;)");
if (s != NULL) {
result = 0;
goto end;
@ -1338,7 +1338,7 @@ int DetectBytetestTestParse21(void)
s = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytetest_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"content:one; byte_test:1,=,1,6,big,string,hex,dce; sid:1;)");
"content:\"one\"; byte_test:1,=,1,6,big,string,hex,dce; sid:1;)");
if (s != NULL) {
result = 0;
goto end;
@ -1347,7 +1347,7 @@ int DetectBytetestTestParse21(void)
s = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytetest_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"content:one; byte_test:1,=,1,6,big,string,oct,dce; sid:1;)");
"content:\"one\"; byte_test:1,=,1,6,big,string,oct,dce; sid:1;)");
if (s != NULL) {
result = 0;
goto end;
@ -1356,7 +1356,7 @@ int DetectBytetestTestParse21(void)
s = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytetest_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"content:one; byte_test:1,=,1,6,little,string,hex,dce; sid:1;)");
"content:\"one\"; byte_test:1,=,1,6,little,string,hex,dce; sid:1;)");
if (s != NULL) {
result = 0;
goto end;
@ -1365,7 +1365,7 @@ int DetectBytetestTestParse21(void)
s = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytetest_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"content:one; byte_test:1,=,1,6,big,string,dec,dce; sid:1;)");
"content:\"one\"; byte_test:1,=,1,6,big,string,dec,dce; sid:1;)");
if (s != NULL) {
result = 0;
goto end;

157
src/detect-content.c
Unescape Escape View File

@ -110,14 +110,19 @@ int DetectContentDataParse(char *contentstr, char** pstr, uint16_t *plen, int *f
}
str[strlen(temp) - pos - 2] = '\0';
} else if (temp[pos] == '\"' || temp[pos + strlen(temp + pos) - 1] == '\"') {
goto error;
} else {
if ((str = SCStrdup(temp + pos)) == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "error allocating memory. exiting...");
exit(EXIT_FAILURE);
}
SCLogError(SC_ERR_INVALID_SIGNATURE, "content keywords's argument "
"should be always enclosed in double quotes. Invalid "
"content keyword passed in this rule - \"%s\"",
contentstr);
goto error;
}
if ((str = SCStrdup(temp + pos + 1)) == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "error allocating memory. exiting...");
exit(EXIT_FAILURE);
}
str[strlen(temp) - pos - 2] = '\0';
SCFree(temp);
temp = NULL;
@ -275,6 +280,18 @@ DetectContentData *DetectContentParse (char *contentstr)
}
DetectContentData *DetectContentParseEncloseQuotes(char *contentstr)
{
char str[strlen(contentstr) + 2];
str[0] = '\"';
memcpy(str + 1, contentstr, strlen(contentstr));
str[strlen(contentstr) + 1] = '\"';
str[strlen(contentstr) + 2] = '\0';
return DetectContentParse(str);
}
/**
* \brief Helper function to print a DetectContentData
*/
@ -693,7 +710,7 @@ int DetectContentParseTest07 (void) {
int DetectContentParseTest08 (void) {
int result = 1;
DetectContentData *cd = NULL;
char *teststring = "";
char *teststring = "\"\"";
cd = DetectContentParse(teststring);
if (cd != NULL) {
@ -979,7 +996,7 @@ int DetectContentLongPatternMatchTest11()
int DetectContentParseTest09(void) {
int result = 0;
DetectContentData *cd = NULL;
char *teststring = "!boo";
char *teststring = "!\"boo\"";
cd = DetectContentParse(teststring);
if (cd != NULL) {
@ -1010,7 +1027,7 @@ int DetectContentParseTest10(void) {
int DetectContentParseNegTest11(void) {
int result = 0;
DetectContentData *cd = NULL;
char *teststring = "boo";
char *teststring = "\"boo\"";
cd = DetectContentParse(teststring);
if (cd != NULL) {
@ -1070,7 +1087,7 @@ int DetectContentParseNegTest14(void) {
int DetectContentParseNegTest15(void) {
int result = 0;
DetectContentData *cd = NULL;
char *teststring = " !boo";
char *teststring = " !\"boo\"";
cd = DetectContentParse(teststring);
if (cd != NULL) {
@ -1085,7 +1102,7 @@ int DetectContentParseNegTest15(void) {
int DetectContentParseNegTest16(void) {
int result = 0;
DetectContentData *cd = NULL;
char *teststring = " boo";
char *teststring = " \"boo\"";
cd = DetectContentParse(teststring);
if (cd != NULL) {
@ -1103,7 +1120,7 @@ int DetectContentParseTest17(void)
{
int result = 0;
char *sigstr = "alert tcp any any -> any any (msg:\"Dummy\"; "
"content:one; content:two; within:2; sid:1;)";
"content:\"one\"; content:\"two\"; within:2; sid:1;)";
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
@ -1137,13 +1154,13 @@ int DetectContentParseTest18(void)
s->alproto = ALPROTO_DCERPC;
result &= (DetectContentSetup(de_ctx, s, "one") == 0);
result &= (DetectContentSetup(de_ctx, s, "\"one\"") == 0);
result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
SigFree(s);
s = SigAlloc();
result &= (DetectContentSetup(de_ctx, s, "one") == 0);
result &= (DetectContentSetup(de_ctx, s, "\"one\"") == 0);
result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
end:
@ -1172,7 +1189,7 @@ int DetectContentParseTest19(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; distance:0; sid:1;)");
"content:\"one\"; distance:0; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -1200,7 +1217,7 @@ int DetectContentParseTest19(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; distance:0; content:two; within:10; sid:1;)");
"content:\"one\"; distance:0; content:\"two\"; within:10; sid:1;)");
if (s->next == NULL) {
result = 0;
goto end;
@ -1229,8 +1246,8 @@ int DetectContentParseTest19(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; offset:5; depth:9; distance:0; "
"content:two; within:10; offset:10; depth:13; sid:1;)");
"content:\"one\"; offset:5; depth:9; distance:0; "
"content:\"two\"; within:10; offset:10; depth:13; sid:1;)");
if (s->next == NULL) {
result = 0;
goto end;
@ -1271,8 +1288,8 @@ int DetectContentParseTest19(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; distance:0; "
"content:two; distance:2; sid:1;)");
"content:\"one\"; distance:0; "
"content:\"two\"; distance:2; sid:1;)");
if (s->next == NULL) {
result = 0;
goto end;
@ -1301,8 +1318,8 @@ int DetectContentParseTest19(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; distance:0; "
"content:two; within:10; distance:2; sid:1;)");
"content:\"one\"; distance:0; "
"content:\"two\"; within:10; distance:2; sid:1;)");
if (s->next == NULL) {
result = 0;
goto end;
@ -1331,7 +1348,7 @@ int DetectContentParseTest19(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; distance:0; offset:10; sid:1;)");
"content:\"one\"; distance:0; offset:10; sid:1;)");
if (s->next == NULL) {
result = 0;
goto end;
@ -1360,7 +1377,7 @@ int DetectContentParseTest19(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; distance:0; depth:10; sid:1;)");
"content:\"one\"; distance:0; depth:10; sid:1;)");
if (s->next == NULL) {
result = 0;
goto end;
@ -1389,7 +1406,7 @@ int DetectContentParseTest19(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; distance:0; offset:10; depth:2; sid:1;)");
"content:\"one\"; distance:0; offset:10; depth:2; sid:1;)");
if (s->next == NULL) {
result = 0;
goto end;
@ -1416,7 +1433,7 @@ int DetectContentParseTest19(void)
s->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; sid:1;)");
"content:\"one\"; sid:1;)");
if (s->next == NULL) {
result = 0;
goto end;
@ -1451,7 +1468,7 @@ int DetectContentParseTest20(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; content:""; sid:238012;)");
"(msg:\"test\"; content:\"\"; sid:238012;)");
if (de_ctx->sig_list != NULL) {
result = 0;
goto end;
@ -1608,7 +1625,7 @@ int DetectContentParseTest25(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; content:|; sid:1;)");
"(msg:\"test\"; content:\"|\"; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 0;
goto end;
@ -1637,7 +1654,7 @@ int DetectContentParseTest26(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; content:|af; sid:1;)");
"(msg:\"test\"; content:\"|af\"; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 0;
goto end;
@ -1666,7 +1683,7 @@ int DetectContentParseTest27(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; content:af|; sid:1;)");
"(msg:\"test\"; content:\"af|\"; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 0;
goto end;
@ -1695,7 +1712,7 @@ int DetectContentParseTest28(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; content:|af|; sid:1;)");
"(msg:\"test\"; content:\"|af|\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -1724,7 +1741,7 @@ int DetectContentParseTest29(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; content:aast|; sid:1;)");
"(msg:\"test\"; content:\"aast|\"; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 0;
goto end;
@ -1753,7 +1770,7 @@ int DetectContentParseTest30(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; content:aast|af; sid:1;)");
"(msg:\"test\"; content:\"aast|af\"; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 0;
goto end;
@ -1782,7 +1799,7 @@ int DetectContentParseTest31(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; content:aast|af|; sid:1;)");
"(msg:\"test\"; content:\"aast|af|\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -1811,7 +1828,7 @@ int DetectContentParseTest32(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; content:|af|asdf; sid:1;)");
"(msg:\"test\"; content:\"|af|asdf\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -1840,7 +1857,7 @@ int DetectContentParseTest33(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; content:|af|af|; sid:1;)");
"(msg:\"test\"; content:\"|af|af|\"; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 0;
goto end;
@ -1869,7 +1886,7 @@ int DetectContentParseTest34(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; content:|af|af|af; sid:1;)");
"(msg:\"test\"; content:\"|af|af|af\"; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 0;
goto end;
@ -1898,7 +1915,7 @@ int DetectContentParseTest35(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; content:|af|af|af|; sid:1;)");
"(msg:\"test\"; content:\"|af|af|af|\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -2006,7 +2023,7 @@ end:
*/
static int SigTest41TestNegatedContent(void)
{
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!GES; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"GES\"; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
}
/**
@ -2015,7 +2032,7 @@ static int SigTest41TestNegatedContent(void)
*/
static int SigTest42TestNegatedContent(void)
{ // 01 5 10 15 20 24
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!twentythree; depth:22; offset:35; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"twentythree\"; depth:22; offset:35; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
/**
@ -2027,7 +2044,7 @@ static int SigTest42TestNegatedContent(void)
*/
static int SigTest43TestNegatedContent(void)
{
return SigTestNegativeTestContent("alert tcp any any -> any any (content:!twentythree; depth:34; offset:23; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestNegativeTestContent("alert tcp any any -> any any (content:!\"twentythree\"; depth:34; offset:23; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
/**
@ -2037,7 +2054,7 @@ static int SigTest43TestNegatedContent(void)
*/
static int SigTest44TestNegatedContent(void)
{
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!twentythree; offset:40; depth:35; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"twentythree\"; offset:40; depth:35; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
/**
@ -2046,7 +2063,7 @@ static int SigTest44TestNegatedContent(void)
*/
static int SigTest45TestNegatedContent(void)
{
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:5; content:!twentythree; depth:23; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; depth:5; content:!\"twentythree\"; depth:23; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
/**
@ -2055,7 +2072,7 @@ static int SigTest45TestNegatedContent(void)
*/
static int SigTest46TestNegatedContent(void)
{
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:onee; content:!twentythree; depth:23; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"onee\"; content:!\"twentythree\"; depth:23; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
/**
@ -2065,7 +2082,7 @@ static int SigTest46TestNegatedContent(void)
*/
static int SigTest47TestNegatedContent(void)
{
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; offset:5; content:!twentythree; depth:23; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; offset:5; content:!\"twentythree\"; depth:23; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
/**
@ -2074,7 +2091,7 @@ static int SigTest47TestNegatedContent(void)
*/
static int SigTest48TestNegatedContent(void)
{
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:GET; content:!GES; within:26; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET\"; content:!\"GES\"; within:26; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
}
/**
@ -2083,7 +2100,7 @@ static int SigTest48TestNegatedContent(void)
*/
static int SigTest49TestNegatedContent(void)
{
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:GET; content:!Host; within:26; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET\"; content:!\"Host\"; within:26; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
}
/**
@ -2092,7 +2109,7 @@ static int SigTest49TestNegatedContent(void)
*/
static int SigTest50TestNegatedContent(void)
{
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:GET; content:!GES; distance:25; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET\"; content:!\"GES\"; distance:25; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
}
/**
@ -2113,7 +2130,7 @@ static int SigTest51TestNegatedContent(void)
*/
static int SigTest52TestNegatedContent(void)
{
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:GES; content:!BOO; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GES\"; content:!\"BOO\"; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
}
/**
@ -2122,7 +2139,7 @@ static int SigTest52TestNegatedContent(void)
*/
static int SigTest53TestNegatedContent(void)
{
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
/**
@ -2131,7 +2148,7 @@ static int SigTest53TestNegatedContent(void)
*/
static int SigTest54TestNegatedContent(void)
{
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; within:20; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; within:20; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
/**
@ -2140,7 +2157,7 @@ static int SigTest54TestNegatedContent(void)
*/
static int SigTest55TestNegatedContent(void)
{
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!one; depth:5; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"one\"; depth:5; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
/**
@ -2149,7 +2166,7 @@ static int SigTest55TestNegatedContent(void)
*/
static int SigTest56TestNegatedContent(void)
{
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:fourty; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:\"fourty\"; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
/**
@ -2158,7 +2175,7 @@ static int SigTest56TestNegatedContent(void)
*/
static int SigTest57TestNegatedContent(void)
{
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
/**
@ -2167,7 +2184,7 @@ static int SigTest57TestNegatedContent(void)
*/
static int SigTest58TestNegatedContent(void)
{
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; distance:57; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; distance:57; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
/**
@ -2176,17 +2193,17 @@ static int SigTest58TestNegatedContent(void)
*/
static int SigTest59TestNegatedContent(void)
{
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; distance:30; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; distance:30; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
static int SigTest60TestNegatedContent(void)
{
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!one; content:fourty; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"one\"; content:\"fourty\"; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
static int SigTest61TestNegatedContent(void)
{
return SigTestPositiveTestContent("alert tcp any any -> any any (content:one; depth:10; content:!fourty; within:30; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestPositiveTestContent("alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:30; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
/** \test Test negation in combination with within and depth
@ -2198,17 +2215,17 @@ static int SigTest61TestNegatedContent(void)
*/
static int SigTest62TestNegatedContent(void)
{
return SigTestNegativeTestContent("alert tcp any any -> any any (content:one; depth:10; content:!fourty; within:49; depth:52; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestNegativeTestContent("alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:49; depth:52; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
static int SigTest63TestNegatedContent(void)
{
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:10; content:!fourty; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; depth:10; content:!\"fourty\"; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
static int SigTest64TestNegatedContent(void)
{
return SigTestPositiveTestContent("alert tcp any any -> any any (content:one; depth:10; content:!fourty; within:30; depth:30; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestPositiveTestContent("alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:30; depth:30; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
/** \test Test negation in combination with within and depth
@ -2220,48 +2237,48 @@ static int SigTest64TestNegatedContent(void)
*/
static int SigTest65TestNegatedContent(void)
{
return SigTestNegativeTestContent("alert tcp any any -> any any (content:one; depth:10; content:!fourty; distance:0; within:49; offset:46; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestNegativeTestContent("alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; distance:0; within:49; offset:46; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
static int SigTest66TestNegatedContent(void)
{
return SigTestPositiveTestContent("alert tcp any any -> any any (content:one; depth:10; content:!fourty; within:30; offset:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestPositiveTestContent("alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:30; offset:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
static int SigTest67TestNegatedContent(void)
{
return SigTestNegativeTestContent("alert tcp any any -> any any (content:one; depth:10; content:!four; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestNegativeTestContent("alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"four\"; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
static int SigTest68TestNegatedContent(void)
{
return SigTestPositiveTestContent("alert tcp any any -> any any (content:one; depth:10; content:nine; offset:8; content:!fourty; within:28; content:fiftysix; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestPositiveTestContent("alert tcp any any -> any any (content:\"one\"; depth:10; content:\"nine\"; offset:8; content:!\"fourty\"; within:28; content:\"fiftysix\"; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
static int SigTest69TestNegatedContent(void)
{
return SigTestNegativeTestContent("alert tcp any any -> any any (content:one; depth:10; content:nine; offset:8; content:!fourty; within:48; content:fiftysix; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestNegativeTestContent("alert tcp any any -> any any (content:\"one\"; depth:10; content:\"nine\"; offset:8; content:!\"fourty\"; within:48; content:\"fiftysix\"; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
static int SigTest70TestNegatedContent(void)
{
return SigTestNegativeTestContent("alert tcp any any -> any any (content:one; content:!fourty; within:52; distance:45 sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestNegativeTestContent("alert tcp any any -> any any (content:\"one\"; content:!\"fourty\"; within:52; distance:45 sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
/** \test within and distance */
static int SigTest71TestNegatedContent(void)
{
return SigTestNegativeTestContent("alert tcp any any -> any any (content:one; content:!fourty; within:40; distance:43; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestNegativeTestContent("alert tcp any any -> any any (content:\"one\"; content:!\"fourty\"; within:40; distance:43; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
static int SigTest72TestNegatedContent(void)
{
return SigTestNegativeTestContent("alert tcp any any -> any any (content:one; content:!fourty; within:49; distance:43; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestNegativeTestContent("alert tcp any any -> any any (content:\"one\"; content:!\"fourty\"; within:49; distance:43; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
static int SigTest73TestNegatedContent(void)
{
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:5; content:!twentythree; depth:35; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; depth:5; content:!\"twentythree\"; depth:35; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
}
static int SigTest74TestNegatedContent(void)

1
src/detect-content.h
Unescape Escape View File

@ -97,6 +97,7 @@ void DetectContentRegister (void);
uint32_t DetectContentMaxId(DetectEngineCtx *);
DetectContentData *DetectContentParse (char *contentstr);
int DetectContentDataParse(char *contentstr, char** pstr, uint16_t *plen, int *flags);
DetectContentData *DetectContentParseEncloseQuotes(char *);
void DetectContentPrint(DetectContentData *);

206
src/detect-engine-dcepayload.c
Unescape Escape View File

@ -1666,21 +1666,21 @@ int DcePayloadTest01(void)
int i = 0;
char *sig1 = "alert tcp any any -> any any (dce_stub_data; "
"content:|26 d0 cf 80|; distance:0; sid:1;)";
"content:\"|26 d0 cf 80|\"; distance:0; sid:1;)";
char *sig2 = "alert tcp any any -> any any (dce_stub_data; "
"content:|43 5b 67 26 65|; distance:0; sid:2;)";
"content:\"|43 5b 67 26 65|\"; distance:0; sid:2;)";
char *sig3 = "alert tcp any any -> any any (dce_stub_data; "
"content:|71 69 75 3e|; distance:0; sid:3;)";
"content:\"|71 69 75 3e|\"; distance:0; sid:3;)";
char *sig4 = "alert tcp any any -> any any (dce_stub_data; "
"content:|6a 68 69 3e 72|; distance:0; sid:4;)";
"content:\"|6a 68 69 3e 72|\"; distance:0; sid:4;)";
char *sig5 = "alert tcp any any -> any any (dce_stub_data; "
"content:|61 50 71 45 29 5b 56 3d 5a|; distance:0; sid:5;)";
"content:\"|61 50 71 45 29 5b 56 3d 5a|\"; distance:0; sid:5;)";
char *sig6 = "alert tcp any any -> any any (dce_stub_data; "
"content:|23 75 40 5d 32 55|; distance:0; sid:6;)";
"content:\"|23 75 40 5d 32 55|\"; distance:0; sid:6;)";
char *sig7 = "alert tcp any any -> any any (dce_stub_data; "
"content:|ee 70 32 65 c1|; distance:0; sid:7;)";
"content:\"|ee 70 32 65 c1|\"; distance:0; sid:7;)";
char *sig8 = "alert tcp any any -> any any (dce_stub_data; "
"content:|79 26 46 f7 bf a1|; distance:0; sid:8;)";
"content:\"|79 26 46 f7 bf a1|\"; distance:0; sid:8;)";
Signature *s;
@ -2544,7 +2544,7 @@ int DcePayloadTest02(void)
"(dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"sid:1;)";
char *sig2 = "alert tcp any any -> any any (dce_stub_data; "
"dce_stub_data; content:|2d 5e 63 2a 4c|; distance:0; sid:2;)";
"dce_stub_data; content:\"|2d 5e 63 2a 4c|\"; distance:0; sid:2;)";
Signature *s;
@ -2991,7 +2991,7 @@ int DcePayloadTest03(void)
"(dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef4; "
"dce_stub_data; sid:1;)";
char *sig2 = "alert tcp any any -> any any (dce_stub_data; "
"content:|2d 5e 63 2a 4c|; distance:0; sid:2;)";
"content:\"|2d 5e 63 2a 4c|\"; distance:0; sid:2;)";
Signature *s;
@ -3435,9 +3435,9 @@ int DcePayloadTest04(void)
char *sig1 = "alert tcp any any -> any any "
"(dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; content:|91 27 27 40|; distance:0; sid:1;)";
"dce_stub_data; content:\"|91 27 27 40|\"; distance:0; sid:1;)";
char *sig2 = "alert tcp any any -> any any (dce_stub_data; "
"content:|2d 5e 63 2a 4c|; distance:0; sid:2;)";
"content:\"|2d 5e 63 2a 4c|\"; distance:0; sid:2;)";
Signature *s;
@ -3880,9 +3880,9 @@ int DcePayloadTest05(void)
char *sig1 = "alert tcp any any -> any any "
"(dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef4; "
"dce_stub_data; content:|91 27 27 40|; distance:0; sid:1;)";
"dce_stub_data; content:\"|91 27 27 40|\"; distance:0; sid:1;)";
char *sig2 = "alert tcp any any -> any any (dce_stub_data; "
"dce_stub_data; content:|2d 5e 63 2a 4c|; distance:0; sid:2;)";
"dce_stub_data; content:\"|2d 5e 63 2a 4c|\"; distance:0; sid:2;)";
Signature *s;
@ -4326,9 +4326,9 @@ int DcePayloadTest06(void)
char *sig1 = "alert tcp any any -> any any "
"(dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; content:|91 27 27 30|; distance:0; sid:1;)";
"dce_stub_data; content:\"|91 27 27 30|\"; distance:0; sid:1;)";
char *sig2 = "alert tcp any any -> any any (dce_stub_data; "
"content:|2d 5e 63 2a 4c|; distance:0; sid:2;)";
"content:\"|2d 5e 63 2a 4c|\"; distance:0; sid:2;)";
Signature *s;
@ -4771,9 +4771,9 @@ int DcePayloadTest07(void)
char *sig1 = "alert tcp any any -> any any "
"(dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; content:|91 27 27 30|; distance:0; sid:1;)";
"dce_stub_data; content:\"|91 27 27 30|\"; distance:0; sid:1;)";
char *sig2 = "alert tcp any any -> any any (dce_stub_data; "
"content:|2d 5e 63 35 25|; distance:0; sid:2;)";
"content:\"|2d 5e 63 35 25|\"; distance:0; sid:2;)";
Signature *s;
@ -5055,7 +5055,7 @@ int DcePayloadTest08(void)
int i = 0;
char *sig1 = "alert tcp any any -> any any "
"(dce_stub_data; content:|5d 5b 35|; distance:0; content:|9e a3|; "
"(dce_stub_data; content:\"|5d 5b 35|\"; distance:0; content:\"|9e a3|\"; "
"distance:0; within:2; sid:1;)";
Signature *s;
@ -5277,7 +5277,7 @@ int DcePayloadTest09(void)
int i = 0;
char *sig1 = "alert tcp any any -> any any "
"(dce_stub_data; content:|5d 5b 35|; distance:0; content:|9e a3|; "
"(dce_stub_data; content:\"|5d 5b 35|\"; distance:0; content:\"|9e a3|\"; "
"distance:0; within:2; sid:1;)";
Signature *s;
@ -5499,7 +5499,7 @@ int DcePayloadTest10(void)
int i = 0;
char *sig1 = "alert tcp any any -> any any "
"(dce_stub_data; content:|ad 0d|; distance:0; content:|ad 0d 00|; "
"(dce_stub_data; content:\"|ad 0d|\"; distance:0; content:\"|ad 0d 00|\"; "
"distance:-10; within:3; sid:1;)";
Signature *s;
@ -5856,7 +5856,7 @@ int DcePayloadTest11(void)
int i = 0;
char *sig1 = "alert tcp any any -> any any "
"(dce_stub_data; content:|af, 26, d0|; distance:0; content:|80 98 6d|; "
"(dce_stub_data; content:\"|af, 26, d0|\"; distance:0; content:\"|80 98 6d|\"; "
"distance:1; within:3; sid:1;)";
Signature *s;
@ -6227,7 +6227,7 @@ int DcePayloadTest12(void)
int i = 0;
char *sig1 = "alert tcp any any -> any any "
"(dce_stub_data; content:|af, 26, d0|; distance:0; content:|80 98 6d|; "
"(dce_stub_data; content:\"|af, 26, d0|\"; distance:0; content:\"|80 98 6d|\"; "
"distance:2; within:3; sid:1;)";
Signature *s;
@ -6822,10 +6822,10 @@ int DcePayloadTest15(void)
int r;
char *sig1 = "alert tcp any any -> any any "
"(dce_stub_data; content:|5c 00 5c 00 31|; distance:0; "
"(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
"byte_test:2,=,14080,0,relative,dce; sid:1;)";
char *sig2 = "alert tcp any any -> any any "
"(dce_stub_data; content:|5c 00 5c 00 31|; distance:0; "
"(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
"byte_test:2,=,46,5,relative,dce; sid:2;)";
Signature *s;
@ -6934,10 +6934,10 @@ int DcePayloadTest16(void)
int r;
char *sig1 = "alert tcp any any -> any any "
"(dce_stub_data; content:|5c 00 5c 00 31|; distance:0; "
"(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
"byte_test:2,=,55,0,relative; sid:1;)";
char *sig2 = "alert tcp any any -> any any "
"(dce_stub_data; content:|5c 00 5c 00 31|; distance:0; "
"(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
"byte_test:2,=,11776,5,relative; sid:2;)";
Signature *s;
@ -7046,10 +7046,10 @@ int DcePayloadTest17(void)
int r;
char *sig1 = "alert tcp any any -> any any "
"(dce_stub_data; content:|5c 00 5c 00 31|; distance:0; "
"(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
"byte_test:2,=,55,0,relative,big; sid:1;)";
char *sig2 = "alert tcp any any -> any any "
"(dce_stub_data; content:|5c 00 5c 00 31|; distance:0; "
"(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
"byte_test:2,=,46,5,relative,little; sid:2;)";
Signature *s;
@ -7158,10 +7158,10 @@ int DcePayloadTest18(void)
int r;
char *sig1 = "alert tcp any any -> any any "
"(dce_stub_data; content:|5c 00 5c 00 31|; distance:0; "
"(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
"byte_jump:2,0,relative,dce; byte_test:2,=,46,0,relative,dce; sid:1;)";
char *sig2 = "alert tcp any any -> any any "
"(dce_stub_data; content:|5c 00 5c 00 31|; distance:0; "
"(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
"byte_jump:2,2,relative,dce; byte_test:2,=,14080,0,relative; sid:2;)";
Signature *s;
@ -7270,10 +7270,10 @@ int DcePayloadTest19(void)
int r;
char *sig1 = "alert tcp any any -> any any "
"(dce_stub_data; content:|5c 00 5c 00 31|; distance:0; "
"(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
"byte_jump:2,0,relative; byte_test:2,=,46,0,relative,dce; sid:1;)";
char *sig2 = "alert tcp any any -> any any "
"(dce_stub_data; content:|5c 00 5c 00 31|; distance:0; "
"(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
"byte_jump:2,2,relative; byte_test:2,=,14080,0,relative; sid:2;)";
Signature *s;
@ -7382,10 +7382,10 @@ int DcePayloadTest20(void)
int r;
char *sig1 = "alert tcp any any -> any any "
"(dce_stub_data; content:|5c 00 5c 00 31|; distance:0; "
"(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
"byte_jump:2,0,relative,big; byte_test:2,=,46,0,relative,dce; sid:1;)";
char *sig2 = "alert tcp any any -> any any "
"(dce_stub_data; content:|5c 00 5c 00 31|; distance:0; "
"(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
"byte_jump:2,2,little,relative; byte_test:2,=,14080,0,relative; sid:2;)";
Signature *s;
@ -7489,8 +7489,8 @@ int DcePayloadTest21(void)
char *sig1 = "alert tcp any any -> any any "
"(msg:\"testing dce consecutive relative matches\"; dce_stub_data; "
"content:this; distance:0; content:is; within:6; content:big; within:8; "
"content:string; within:8; sid:1;)";
"content:\"this\"; distance:0; content:\"is\"; within:6; content:\"big\"; within:8; "
"content:\"string\"; within:8; sid:1;)";
Signature *s;
@ -7586,8 +7586,8 @@ int DcePayloadTest22(void)
char *sig1 = "alert tcp any any -> any any "
"(msg:\"testing dce consecutive relative matches\"; dce_stub_data; "
"content:this; distance:0; content:is; within:9; content:big; within:12; "
"content:string; within:8; sid:1;)";
"content:\"this\"; distance:0; content:\"is\"; within:9; content:\"big\"; within:12; "
"content:\"string\"; within:8; sid:1;)";
Signature *s;
@ -7683,9 +7683,9 @@ int DcePayloadTest23(void)
char *sig1 = "alert tcp any any -> any any "
"(msg:\"testing dce consecutive relative matches\"; dce_stub_data; "
"content:now; distance:0; content:this; distance:-20; "
"content:is; within:12; content:big; within:8; "
"content:string; within:8; sid:1;)";
"content:\"now\"; distance:0; content:\"this\"; distance:-20; "
"content:\"is\"; within:12; content:\"big\"; within:8; "
"content:\"string\"; within:8; sid:1;)";
Signature *s;
@ -7780,8 +7780,8 @@ int DcePayloadTest24(void)
char *sig1 = "alert tcp any any -> any any "
"(msg:\"testing dce consecutive relative matches\"; dce_stub_data; "
"content:thus; distance:0; offset:8; content:is; within:6; "
"content:big; within:8; sid:1;)";
"content:\"thus\"; distance:0; offset:8; content:\"is\"; within:6; "
"content:\"big\"; within:8; sid:1;)";
Signature *s;
@ -7867,9 +7867,9 @@ int DcePayloadParseTest25(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; content:two; "
"content:three; within:10; "
"content:four; distance:4; "
"content:\"one\"; content:\"two\"; "
"content:\"three\"; within:10; "
"content:\"four\"; distance:4; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
@ -7989,10 +7989,10 @@ int DcePayloadParseTest26(void)
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"dce_stub_data; "
"content: one; "
"content:two; "
"content:three; within:5; "
"content:four; distance:10; "
"content:\"one\"; "
"content:\"two\"; "
"content:\"three\"; within:5; "
"content:\"four\"; distance:10; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -8115,10 +8115,10 @@ int DcePayloadParseTest27(void)
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"dce_stub_data; "
"content: one; distance:10; within:5; "
"content:two; within:5;"
"content:three; within:5; "
"content:four; distance:10; "
"content:\"one\"; distance:10; within:5; "
"content:\"two\"; within:5;"
"content:\"three\"; within:5; "
"content:\"four\"; distance:10; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -8241,10 +8241,10 @@ int DcePayloadParseTest28(void)
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"dce_stub_data; "
"content: one; distance:10; within:5; "
"content:two; within:5;"
"content:three;"
"content:four;"
"content:\"one\"; distance:10; within:5; "
"content:\"two\"; within:5;"
"content:\"three\";"
"content:\"four\";"
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -8369,10 +8369,10 @@ int DcePayloadParseTest29(void)
"(msg:\"Testing bytejump_body\"; "
"dce_stub_data; "
"pcre:/boom/; "
"content:one; distance:10; within:5; "
"content:two; within:5;"
"content:three;"
"content:four;"
"content:\"one\"; distance:10; within:5; "
"content:\"two\"; within:5;"
"content:\"three\";"
"content:\"four\";"
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -8510,10 +8510,10 @@ int DcePayloadParseTest30(void)
"(msg:\"Testing bytejump_body\"; "
"dce_stub_data; "
"byte_jump:2,5; "
"content:one; distance:10; within:5; "
"content:two; within:5;"
"content:three;"
"content:four;"
"content:\"one\"; distance:10; within:5; "
"content:\"two\"; within:5;"
"content:\"three\";"
"content:\"four\";"
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -8656,10 +8656,10 @@ int DcePayloadParseTest31(void)
"(msg:\"Testing bytejump_body\"; "
"dce_stub_data; "
"byte_jump:2,5,relative; "
"content:one; distance:10; within:5; "
"content:two; within:5;"
"content:three;"
"content:four;"
"content:\"one\"; distance:10; within:5; "
"content:\"two\"; within:5;"
"content:\"three\";"
"content:\"four\";"
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -8802,10 +8802,10 @@ int DcePayloadParseTest32(void)
"(msg:\"Testing bytejump_body\"; "
"dce_stub_data; "
"byte_jump:2,5,relative; "
"content:one; distance:10; within:5; "
"content:two; within:5;"
"content:three;"
"content:four; within:4; "
"content:\"one\"; distance:10; within:5; "
"content:\"two\"; within:5;"
"content:\"three\";"
"content:\"four\"; within:4; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -8948,10 +8948,10 @@ int DcePayloadParseTest33(void)
"(msg:\"Testing bytejump_body\"; "
"dce_stub_data; "
"pcre:/boom/R; "
"content:one; distance:10; within:5; "
"content:two; within:5;"
"content:three;"
"content:four; distance:5;"
"content:\"one\"; distance:10; within:5; "
"content:\"two\"; within:5;"
"content:\"three\";"
"content:\"four\"; distance:5;"
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -9092,8 +9092,8 @@ int DcePayloadParseTest34(void)
"dce_opnum:10; dce_stub_data; "
"pcre:/boom/R; "
"byte_jump:1,2,relative,align,dce; "
"content:one; within:4; distance:8; "
"content:two; "
"content:\"one\"; within:4; distance:8; "
"content:\"two\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -9213,7 +9213,7 @@ int DcePayloadParseTest35(void)
"dce_iface:12345678-1234-1234-1234-123456789012; "
"dce_opnum:10; dce_stub_data; "
"byte_test:1,=,0,0,relative,dce; "
"content:one; "
"content:\"one\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -9299,8 +9299,8 @@ int DcePayloadParseTest36(void)
"dce_iface:12345678-1234-1234-1234-123456789012; "
"dce_opnum:10; dce_stub_data; "
"isdataat:10,relative; "
"content:one; within:4; distance:8; "
"content:two; "
"content:\"one\"; within:4; distance:8; "
"content:\"two\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -9404,7 +9404,7 @@ int DcePayloadParseTest37(void)
"dce_opnum:10; dce_stub_data; "
"byte_jump:1,2,relative,align,dce; "
"byte_test:1,=,2,0,relative,dce; "
"content:one; "
"content:\"one\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -9512,7 +9512,7 @@ int DcePayloadParseTest38(void)
"pcre:/boom/R; "
"byte_jump:1,2,relative,align,dce; "
"byte_test:1,=,2,0,relative,dce; "
"content:one; "
"content:\"one\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -9625,10 +9625,10 @@ int DcePayloadParseTest39(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"dce_iface:12345678-1234-1234-1234-123456789012; "
"dce_opnum:10; dce_stub_data; "
"content:two; within:4; distance:8; "
"content:\"two\"; within:4; distance:8; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -9713,10 +9713,10 @@ int DcePayloadParseTest40(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:12345678-1234-1234-1234-123456789012; "
"dce_opnum:10; dce_stub_data; "
"content: one; within:10; "
"content:two; distance:20; within:30; "
"content:\"one\"; within:10; "
"content:\"two\"; distance:20; within:30; "
"byte_test:1,=,2,0,relative,dce; "
"content:three; "
"content:\"three\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -9842,10 +9842,10 @@ int DcePayloadParseTest41(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:12345678-1234-1234-1234-123456789012; "
"dce_opnum:10; dce_stub_data; "
"content: one; within:10; "
"content:two; "
"content:\"one\"; within:10; "
"content:\"two\"; "
"byte_test:1,=,2,0,relative,dce; "
"content:three; "
"content:\"three\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -9978,7 +9978,7 @@ int DcePayloadTest42(void)
char *sig1 = "alert tcp any any -> any any "
"(msg:\"testing dce consecutive relative matches\"; dce_stub_data; "
"content:fix; distance:0; content:this; within:6; "
"content:\"fix\"; distance:0; content:\"this\"; within:6; "
"content:!\"and\"; distance:0; sid:1;)";
Signature *s;
@ -10077,7 +10077,7 @@ int DcePayloadTest43(void)
char *sig1 = "alert tcp any any -> any any "
"(msg:\"testing dce consecutive relative matches\"; dce_stub_data; "
"pcre:/super/R; content:nova; within:7; sid:1;)";
"pcre:/super/R; content:\"nova\"; within:7; sid:1;)";
Signature *s;
@ -10164,12 +10164,12 @@ int DcePayloadParseTest44(void)
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"dce_iface:12345678-1234-1234-1234-123456789012; "
"dce_opnum:10; dce_stub_data; "
"isdataat:10,relative; "
"content:one; within:4; distance:8; "
"content:two; "
"content:\"one\"; within:4; distance:8; "
"content:\"two\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -10291,10 +10291,10 @@ int DcePayloadParseTest45(void)
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"dce_iface:12345678-1234-1234-1234-123456789012; "
"content:one; "
"content:\"one\"; "
"dce_opnum:10; dce_stub_data; "
"byte_jump:1,2,relative,align,dce; "
"content:two; "
"content:\"two\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -10402,10 +10402,10 @@ int DcePayloadParseTest46(void)
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"dce_iface:12345678-1234-1234-1234-123456789012; "
"content:one; "
"content:\"one\"; "
"dce_opnum:10; dce_stub_data; "
"byte_test:1,=,2,0,relative,dce; "
"content:two; "
"content:\"two\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;

80
src/detect-engine-hcbd.c
Unescape Escape View File

@ -592,7 +592,7 @@ static int DetectEngineHttpClientBodyTest01(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:body1This; http_client_body; "
"content:\"body1This\"; http_client_body; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -709,7 +709,7 @@ static int DetectEngineHttpClientBodyTest02(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:body1; http_client_body; offset:5; "
"content:\"body1\"; http_client_body; offset:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -814,7 +814,7 @@ static int DetectEngineHttpClientBodyTest03(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:body1; http_client_body; offset:16; "
"content:\"body1\"; http_client_body; offset:16; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -934,7 +934,7 @@ static int DetectEngineHttpClientBodyTest04(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:!body1; http_client_body; offset:16; "
"content:!\"body1\"; http_client_body; offset:16; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1053,7 +1053,7 @@ static int DetectEngineHttpClientBodyTest05(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:body1; http_client_body; depth:25; "
"content:\"body1\"; http_client_body; depth:25; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1172,7 +1172,7 @@ static int DetectEngineHttpClientBodyTest06(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:!body1; http_client_body; depth:25; "
"content:!\"body1\"; http_client_body; depth:25; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1291,7 +1291,7 @@ static int DetectEngineHttpClientBodyTest07(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:!body1; http_client_body; depth:15; "
"content:!\"body1\"; http_client_body; depth:15; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1410,7 +1410,7 @@ static int DetectEngineHttpClientBodyTest08(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:!body1; http_client_body; depth:25; "
"content:!\"body1\"; http_client_body; depth:25; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1529,8 +1529,8 @@ static int DetectEngineHttpClientBodyTest09(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:body1; http_client_body; "
"content:This; http_client_body; within:5; "
"content:\"body1\"; http_client_body; "
"content:\"This\"; http_client_body; within:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1649,8 +1649,8 @@ static int DetectEngineHttpClientBodyTest10(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:body1; http_client_body; "
"content:!boom; http_client_body; within:5; "
"content:\"body1\"; http_client_body; "
"content:!\"boom\"; http_client_body; within:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1769,8 +1769,8 @@ static int DetectEngineHttpClientBodyTest11(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:body1; http_client_body; "
"content:boom; http_client_body; within:5; "
"content:\"body1\"; http_client_body; "
"content:\"boom\"; http_client_body; within:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1889,8 +1889,8 @@ static int DetectEngineHttpClientBodyTest12(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:body1; http_client_body; "
"content:!This; http_client_body; within:5; "
"content:\"body1\"; http_client_body; "
"content:!\"This\"; http_client_body; within:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2009,8 +2009,8 @@ static int DetectEngineHttpClientBodyTest13(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:body1; http_client_body; "
"content:dummy; http_client_body; distance:5; "
"content:\"body1\"; http_client_body; "
"content:\"dummy\"; http_client_body; distance:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2129,8 +2129,8 @@ static int DetectEngineHttpClientBodyTest14(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:body1; http_client_body; "
"content:!dummy; http_client_body; distance:10; "
"content:\"body1\"; http_client_body; "
"content:!\"dummy\"; http_client_body; distance:10; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2249,8 +2249,8 @@ static int DetectEngineHttpClientBodyTest15(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:body1; http_client_body; "
"content:dummy; http_client_body; distance:10; "
"content:\"body1\"; http_client_body; "
"content:\"dummy\"; http_client_body; distance:10; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2369,8 +2369,8 @@ static int DetectEngineHttpClientBodyTest16(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:body1; http_client_body; "
"content:!dummy; http_client_body; distance:5; "
"content:\"body1\"; http_client_body; "
"content:!\"dummy\"; http_client_body; distance:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2473,8 +2473,8 @@ static int DetectEngineHttpClientBodyTest17(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:body1; http_client_body; "
"content:bambu; http_client_body; "
"content:\"body1\"; http_client_body; "
"content:\"bambu\"; http_client_body; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2547,8 +2547,8 @@ static int DetectEngineHttpClientBodyTest18(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:body1; http_client_body; "
"content:bambu; http_client_body; fast_pattern; "
"content:\"body1\"; http_client_body; "
"content:\"bambu\"; http_client_body; fast_pattern; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2621,8 +2621,8 @@ static int DetectEngineHttpClientBodyTest19(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:bambu; http_client_body; "
"content:is; http_client_body; "
"content:\"bambu\"; http_client_body; "
"content:\"is\"; http_client_body; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2695,8 +2695,8 @@ static int DetectEngineHttpClientBodyTest20(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:bambu; http_client_body; "
"content:is; http_client_body; fast_pattern; "
"content:\"bambu\"; http_client_body; "
"content:\"is\"; http_client_body; fast_pattern; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2786,7 +2786,7 @@ static int DetectEngineHttpClientBodyTest21(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/P; "
"content:!dummy; http_client_body; within:7; "
"content:!\"dummy\"; http_client_body; within:7; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2906,7 +2906,7 @@ static int DetectEngineHttpClientBodyTest22(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/P; "
"content:!dummy; within:7; http_client_body; "
"content:!\"dummy\"; within:7; http_client_body; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -3026,7 +3026,7 @@ static int DetectEngineHttpClientBodyTest23(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/P; "
"content:!dummy; distance:3; http_client_body; "
"content:!\"dummy\"; distance:3; http_client_body; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -3146,7 +3146,7 @@ static int DetectEngineHttpClientBodyTest24(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/P; "
"content:!dummy; distance:13; http_client_body; "
"content:!\"dummy\"; distance:13; http_client_body; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -3266,7 +3266,7 @@ static int DetectEngineHttpClientBodyTest25(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/P; "
"content:dummy; within:15; http_client_body; "
"content:\"dummy\"; within:15; http_client_body; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -3386,7 +3386,7 @@ static int DetectEngineHttpClientBodyTest26(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/P; "
"content:dummy; within:10; http_client_body; "
"content:\"dummy\"; within:10; http_client_body; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -3506,7 +3506,7 @@ static int DetectEngineHttpClientBodyTest27(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/P; "
"content:dummy; distance:8; http_client_body; "
"content:\"dummy\"; distance:8; http_client_body; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -3626,7 +3626,7 @@ static int DetectEngineHttpClientBodyTest28(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/P; "
"content:dummy; distance:14; http_client_body; "
"content:\"dummy\"; distance:14; http_client_body; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;

44
src/detect-engine-hcd.c
Unescape Escape View File

@ -649,7 +649,7 @@ static int DetectEngineHttpCookieTest03(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:!ECT; depth:4; http_cookie; "
"content:!\"ECT\"; depth:4; http_cookie; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -743,7 +743,7 @@ static int DetectEngineHttpCookieTest04(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:ECT; depth:4; http_cookie; "
"content:\"ECT\"; depth:4; http_cookie; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -837,7 +837,7 @@ static int DetectEngineHttpCookieTest05(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:!CON; depth:4; http_cookie; "
"content:!\"CON\"; depth:4; http_cookie; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1025,7 +1025,7 @@ static int DetectEngineHttpCookieTest07(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:!CO; offset:3; http_cookie; "
"content:!\"CO\"; offset:3; http_cookie; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1119,7 +1119,7 @@ static int DetectEngineHttpCookieTest08(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:!ECT; offset:3; http_cookie; "
"content:!\"ECT\"; offset:3; http_cookie; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1213,7 +1213,7 @@ static int DetectEngineHttpCookieTest09(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:CON; offset:3; http_cookie; "
"content:\"CON\"; offset:3; http_cookie; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1307,8 +1307,8 @@ static int DetectEngineHttpCookieTest10(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:CO; http_cookie; "
"content:EC; within:4; http_cookie; "
"content:\"CO\"; http_cookie; "
"content:\"EC\"; within:4; http_cookie; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1402,8 +1402,8 @@ static int DetectEngineHttpCookieTest11(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:CO; http_cookie; "
"content:!EC; within:3; http_cookie; "
"content:\"CO\"; http_cookie; "
"content:!\"EC\"; within:3; http_cookie; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1497,8 +1497,8 @@ static int DetectEngineHttpCookieTest12(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:CO; http_cookie; "
"content:EC; within:3; http_cookie; "
"content:\"CO\"; http_cookie; "
"content:\"EC\"; within:3; http_cookie; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1592,8 +1592,8 @@ static int DetectEngineHttpCookieTest13(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:CO; http_cookie; "
"content:!EC; within:4; http_cookie; "
"content:\"CO\"; http_cookie; "
"content:!\"EC\"; within:4; http_cookie; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1687,8 +1687,8 @@ static int DetectEngineHttpCookieTest14(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:CO; http_cookie; "
"content:EC; distance:2; http_cookie; "
"content:\"CO\"; http_cookie; "
"content:\"EC\"; distance:2; http_cookie; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1782,8 +1782,8 @@ static int DetectEngineHttpCookieTest15(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:CO; http_cookie; "
"content:!EC; distance:3; http_cookie; "
"content:\"CO\"; http_cookie; "
"content:!\"EC\"; distance:3; http_cookie; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1877,8 +1877,8 @@ static int DetectEngineHttpCookieTest16(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:CO; http_cookie; "
"content:EC; distance:3; http_cookie; "
"content:\"CO\"; http_cookie; "
"content:\"EC\"; distance:3; http_cookie; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1972,8 +1972,8 @@ static int DetectEngineHttpCookieTest17(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:CO; http_cookie; "
"content:!EC; distance:2; http_cookie; "
"content:\"CO\"; http_cookie; "
"content:!\"EC\"; distance:2; http_cookie; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;

48
src/detect-engine-hhd.c
Unescape Escape View File

@ -727,7 +727,7 @@ static int DetectEngineHttpHeaderTest03(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:!one; depth:5; http_header; "
"content:!\"one\"; depth:5; http_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -819,7 +819,7 @@ static int DetectEngineHttpHeaderTest04(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; depth:5; http_header; "
"content:\"one\"; depth:5; http_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -911,7 +911,7 @@ static int DetectEngineHttpHeaderTest05(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:!one; depth:15; http_header; "
"content:!\"one\"; depth:15; http_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1095,7 +1095,7 @@ static int DetectEngineHttpHeaderTest07(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:!one; offset:15; http_header; "
"content:!\"one\"; offset:15; http_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1187,7 +1187,7 @@ static int DetectEngineHttpHeaderTest08(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; offset:15; http_header; "
"content:\"one\"; offset:15; http_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1279,7 +1279,7 @@ static int DetectEngineHttpHeaderTest09(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:!one; offset:10; http_header; "
"content:!\"one\"; offset:10; http_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1371,7 +1371,7 @@ static int DetectEngineHttpHeaderTest10(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_header; content:three; http_header; within:10; "
"content:\"one\"; http_header; content:\"three\"; http_header; within:10; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1463,7 +1463,7 @@ static int DetectEngineHttpHeaderTest11(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_header; content:!three; http_header; within:5; "
"content:\"one\"; http_header; content:!\"three\"; http_header; within:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1555,7 +1555,7 @@ static int DetectEngineHttpHeaderTest12(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_header; content:!three; http_header; within:10; "
"content:\"one\"; http_header; content:!\"three\"; http_header; within:10; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1647,7 +1647,7 @@ static int DetectEngineHttpHeaderTest13(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_header; content:three; http_header; within:5; "
"content:\"one\"; http_header; content:\"three\"; http_header; within:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1739,7 +1739,7 @@ static int DetectEngineHttpHeaderTest14(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_header; content:five; http_header; distance:7; "
"content:\"one\"; http_header; content:\"five\"; http_header; distance:7; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1831,7 +1831,7 @@ static int DetectEngineHttpHeaderTest15(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_header; content:!five; http_header; distance:15; "
"content:\"one\"; http_header; content:!\"five\"; http_header; distance:15; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1923,7 +1923,7 @@ static int DetectEngineHttpHeaderTest16(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_header; content:!five; http_header; distance:7; "
"content:\"one\"; http_header; content:!\"five\"; http_header; distance:7; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2015,7 +2015,7 @@ static int DetectEngineHttpHeaderTest17(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_header; content:five; http_header; distance:15; "
"content:\"one\"; http_header; content:\"five\"; http_header; distance:15; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2105,7 +2105,7 @@ static int DetectEngineHttpHeaderTest18(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_header; content:five; http_header; "
"content:\"one\"; http_header; content:\"five\"; http_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2182,7 +2182,7 @@ static int DetectEngineHttpHeaderTest19(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_header; fast_pattern; content:five; http_header; "
"content:\"one\"; http_header; fast_pattern; content:\"five\"; http_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2269,7 +2269,7 @@ static int DetectEngineHttpHeaderTest20(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/H; "
"content:!dummy; http_header; within:7; "
"content:!\"dummy\"; http_header; within:7; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2386,7 +2386,7 @@ static int DetectEngineHttpHeaderTest21(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/H; "
"content:!dummy; within:7; http_header; "
"content:!\"dummy\"; within:7; http_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2503,7 +2503,7 @@ static int DetectEngineHttpHeaderTest22(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/H; "
"content:!dummy; distance:3; http_header; "
"content:!\"dummy\"; distance:3; http_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2620,7 +2620,7 @@ static int DetectEngineHttpHeaderTest23(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/H; "
"content:!dummy; distance:13; http_header; "
"content:!\"dummy\"; distance:13; http_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2737,7 +2737,7 @@ static int DetectEngineHttpHeaderTest24(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/H; "
"content:dummy; within:15; http_header; "
"content:\"dummy\"; within:15; http_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2854,7 +2854,7 @@ static int DetectEngineHttpHeaderTest25(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/H; "
"content:dummy; within:10; http_header; "
"content:\"dummy\"; within:10; http_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2971,7 +2971,7 @@ static int DetectEngineHttpHeaderTest26(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/H; "
"content:dummy; distance:8; http_header; "
"content:\"dummy\"; distance:8; http_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -3088,7 +3088,7 @@ static int DetectEngineHttpHeaderTest27(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/H; "
"content:dummy; distance:14; http_header; "
"content:\"dummy\"; distance:14; http_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;

44
src/detect-engine-hmd.c
Unescape Escape View File

@ -633,7 +633,7 @@ static int DetectEngineHttpMethodTest03(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:!ECT; depth:4; http_method; "
"content:!\"ECT\"; depth:4; http_method; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -726,7 +726,7 @@ static int DetectEngineHttpMethodTest04(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:ECT; depth:4; http_method; "
"content:\"ECT\"; depth:4; http_method; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -819,7 +819,7 @@ static int DetectEngineHttpMethodTest05(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:!CON; depth:4; http_method; "
"content:!\"CON\"; depth:4; http_method; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1005,7 +1005,7 @@ static int DetectEngineHttpMethodTest07(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:!CO; offset:3; http_method; "
"content:!\"CO\"; offset:3; http_method; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1098,7 +1098,7 @@ static int DetectEngineHttpMethodTest08(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:!ECT; offset:3; http_method; "
"content:!\"ECT\"; offset:3; http_method; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1191,7 +1191,7 @@ static int DetectEngineHttpMethodTest09(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:CON; offset:3; http_method; "
"content:\"CON\"; offset:3; http_method; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1284,8 +1284,8 @@ static int DetectEngineHttpMethodTest10(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:CO; http_method; "
"content:EC; within:4; http_method; "
"content:\"CO\"; http_method; "
"content:\"EC\"; within:4; http_method; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1378,8 +1378,8 @@ static int DetectEngineHttpMethodTest11(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:CO; http_method; "
"content:!EC; within:3; http_method; "
"content:\"CO\"; http_method; "
"content:!\"EC\"; within:3; http_method; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1472,8 +1472,8 @@ static int DetectEngineHttpMethodTest12(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:CO; http_method; "
"content:EC; within:3; http_method; "
"content:\"CO\"; http_method; "
"content:\"EC\"; within:3; http_method; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1566,8 +1566,8 @@ static int DetectEngineHttpMethodTest13(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:CO; http_method; "
"content:!EC; within:4; http_method; "
"content:\"CO\"; http_method; "
"content:!\"EC\"; within:4; http_method; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1660,8 +1660,8 @@ static int DetectEngineHttpMethodTest14(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:CO; http_method; "
"content:EC; distance:2; http_method; "
"content:\"CO\"; http_method; "
"content:\"EC\"; distance:2; http_method; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1754,8 +1754,8 @@ static int DetectEngineHttpMethodTest15(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:CO; http_method; "
"content:!EC; distance:3; http_method; "
"content:\"CO\"; http_method; "
"content:!\"EC\"; distance:3; http_method; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1848,8 +1848,8 @@ static int DetectEngineHttpMethodTest16(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:CO; http_method; "
"content:EC; distance:3; http_method; "
"content:\"CO\"; http_method; "
"content:\"EC\"; distance:3; http_method; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1942,8 +1942,8 @@ static int DetectEngineHttpMethodTest17(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:CO; http_method; "
"content:!EC; distance:2; http_method; "
"content:\"CO\"; http_method; "
"content:!\"EC\"; distance:2; http_method; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;

48
src/detect-engine-hrhd.c
Unescape Escape View File

@ -638,7 +638,7 @@ static int DetectEngineHttpRawHeaderTest03(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:!one; depth:5; http_raw_header; "
"content:!\"one\"; depth:5; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -730,7 +730,7 @@ static int DetectEngineHttpRawHeaderTest04(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; depth:5; http_raw_header; "
"content:\"one\"; depth:5; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -822,7 +822,7 @@ static int DetectEngineHttpRawHeaderTest05(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:!one; depth:15; http_raw_header; "
"content:!\"one\"; depth:15; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1006,7 +1006,7 @@ static int DetectEngineHttpRawHeaderTest07(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:!one; offset:15; http_raw_header; "
"content:!\"one\"; offset:15; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1098,7 +1098,7 @@ static int DetectEngineHttpRawHeaderTest08(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; offset:15; http_raw_header; "
"content:\"one\"; offset:15; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1190,7 +1190,7 @@ static int DetectEngineHttpRawHeaderTest09(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:!one; offset:10; http_raw_header; "
"content:!\"one\"; offset:10; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1282,7 +1282,7 @@ static int DetectEngineHttpRawHeaderTest10(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_raw_header; content:three; http_raw_header; within:10; "
"content:\"one\"; http_raw_header; content:\"three\"; http_raw_header; within:10; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1374,7 +1374,7 @@ static int DetectEngineHttpRawHeaderTest11(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_raw_header; content:!three; http_raw_header; within:5; "
"content:\"one\"; http_raw_header; content:!\"three\"; http_raw_header; within:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1466,7 +1466,7 @@ static int DetectEngineHttpRawHeaderTest12(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_raw_header; content:!three; http_raw_header; within:10; "
"content:\"one\"; http_raw_header; content:!\"three\"; http_raw_header; within:10; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1558,7 +1558,7 @@ static int DetectEngineHttpRawHeaderTest13(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_raw_header; content:three; http_raw_header; within:5; "
"content:\"one\"; http_raw_header; content:\"three\"; http_raw_header; within:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1650,7 +1650,7 @@ static int DetectEngineHttpRawHeaderTest14(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_raw_header; content:five; http_raw_header; distance:7; "
"content:\"one\"; http_raw_header; content:\"five\"; http_raw_header; distance:7; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1742,7 +1742,7 @@ static int DetectEngineHttpRawHeaderTest15(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_raw_header; content:!five; http_raw_header; distance:15; "
"content:\"one\"; http_raw_header; content:!\"five\"; http_raw_header; distance:15; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1834,7 +1834,7 @@ static int DetectEngineHttpRawHeaderTest16(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_raw_header; content:!five; http_raw_header; distance:7; "
"content:\"one\"; http_raw_header; content:!\"five\"; http_raw_header; distance:7; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1926,7 +1926,7 @@ static int DetectEngineHttpRawHeaderTest17(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_raw_header; content:five; http_raw_header; distance:15; "
"content:\"one\"; http_raw_header; content:\"five\"; http_raw_header; distance:15; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2016,7 +2016,7 @@ static int DetectEngineHttpRawHeaderTest18(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_raw_header; content:five; http_raw_header; "
"content:\"one\"; http_raw_header; content:\"five\"; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2093,7 +2093,7 @@ static int DetectEngineHttpRawHeaderTest19(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:one; http_raw_header; fast_pattern; content:five; http_raw_header; "
"content:\"one\"; http_raw_header; fast_pattern; content:\"five\"; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2180,7 +2180,7 @@ static int DetectEngineHttpRawHeaderTest20(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/D; "
"content:!dummy; http_raw_header; within:7; "
"content:!\"dummy\"; http_raw_header; within:7; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2297,7 +2297,7 @@ static int DetectEngineHttpRawHeaderTest21(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/D; "
"content:!dummy; within:7; http_raw_header; "
"content:!\"dummy\"; within:7; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2414,7 +2414,7 @@ static int DetectEngineHttpRawHeaderTest22(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/D; "
"content:!dummy; distance:3; http_raw_header; "
"content:!\"dummy\"; distance:3; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2531,7 +2531,7 @@ static int DetectEngineHttpRawHeaderTest23(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/D; "
"content:!dummy; distance:13; http_raw_header; "
"content:!\"dummy\"; distance:13; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2648,7 +2648,7 @@ static int DetectEngineHttpRawHeaderTest24(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/D; "
"content:dummy; within:15; http_raw_header; "
"content:\"dummy\"; within:15; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2765,7 +2765,7 @@ static int DetectEngineHttpRawHeaderTest25(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/D; "
"content:dummy; within:10; http_raw_header; "
"content:\"dummy\"; within:10; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2882,7 +2882,7 @@ static int DetectEngineHttpRawHeaderTest26(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/D; "
"content:dummy; distance:8; http_raw_header; "
"content:\"dummy\"; distance:8; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2999,7 +2999,7 @@ static int DetectEngineHttpRawHeaderTest27(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"pcre:/body1/D; "
"content:dummy; distance:14; http_raw_header; "
"content:\"dummy\"; distance:14; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;

84
src/detect-engine-hrud.c
Unescape Escape View File

@ -506,7 +506,7 @@ static int DetectEngineHttpRawUriTest01(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:../c/./d; http_raw_uri; "
"content:\"../c/./d\"; http_raw_uri; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -623,7 +623,7 @@ static int DetectEngineHttpRawUriTest02(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:/c/./d; http_raw_uri; offset:5; "
"content:\"/c/./d\"; http_raw_uri; offset:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -729,7 +729,7 @@ static int DetectEngineHttpRawUriTest03(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:/a/b; http_raw_uri; offset:10; "
"content:\"/a/b\"; http_raw_uri; offset:10; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -850,7 +850,7 @@ static int DetectEngineHttpRawUriTest04(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:!/a/b; http_raw_uri; offset:10; "
"content:!\"/a/b\"; http_raw_uri; offset:10; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -970,7 +970,7 @@ static int DetectEngineHttpRawUriTest05(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:a/b; http_raw_uri; depth:10; "
"content:\"a/b\"; http_raw_uri; depth:10; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1090,7 +1090,7 @@ static int DetectEngineHttpRawUriTest06(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:!/a/b; http_raw_uri; depth:25; "
"content:!\"/a/b\"; http_raw_uri; depth:25; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1210,7 +1210,7 @@ static int DetectEngineHttpRawUriTest07(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:!/c/./d; http_raw_uri; depth:12; "
"content:!\"/c/./d\"; http_raw_uri; depth:12; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1330,7 +1330,7 @@ static int DetectEngineHttpRawUriTest08(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:!/c/./d; http_raw_uri; depth:18; "
"content:!\"/c/./d\"; http_raw_uri; depth:18; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1450,8 +1450,8 @@ static int DetectEngineHttpRawUriTest09(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:/a; http_raw_uri; "
"content:./c/.; http_raw_uri; within:9; "
"content:\"/a\"; http_raw_uri; "
"content:\"./c/.\"; http_raw_uri; within:9; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1571,8 +1571,8 @@ static int DetectEngineHttpRawUriTest10(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:/a; http_raw_uri; "
"content:!boom; http_raw_uri; within:5; "
"content:\"/a\"; http_raw_uri; "
"content:!\"boom\"; http_raw_uri; within:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1692,8 +1692,8 @@ static int DetectEngineHttpRawUriTest11(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:./a; http_raw_uri; "
"content:boom; http_raw_uri; within:5; "
"content:\"./a\"; http_raw_uri; "
"content:\"boom\"; http_raw_uri; within:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1813,8 +1813,8 @@ static int DetectEngineHttpRawUriTest12(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:./a; http_raw_uri; "
"content:!/b/..; http_raw_uri; within:5; "
"content:\"./a\"; http_raw_uri; "
"content:!\"/b/..\"; http_raw_uri; within:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1934,8 +1934,8 @@ static int DetectEngineHttpRawUriTest13(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:./a; http_raw_uri; "
"content:/c/.; http_raw_uri; distance:5; "
"content:\"./a\"; http_raw_uri; "
"content:\"/c/.\"; http_raw_uri; distance:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2055,8 +2055,8 @@ static int DetectEngineHttpRawUriTest14(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:./a; http_raw_uri; "
"content:!b/..; http_raw_uri; distance:5; "
"content:\"./a\"; http_raw_uri; "
"content:!\"b/..\"; http_raw_uri; distance:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2176,8 +2176,8 @@ static int DetectEngineHttpRawUriTest15(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:./a; http_raw_uri; "
"content:/c/; http_raw_uri; distance:7; "
"content:\"./a\"; http_raw_uri; "
"content:\"/c/\"; http_raw_uri; distance:7; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2297,8 +2297,8 @@ static int DetectEngineHttpRawUriTest16(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:./a; http_raw_uri; "
"content:!/c/; http_raw_uri; distance:4; "
"content:\"./a\"; http_raw_uri; "
"content:!\"/c/\"; http_raw_uri; distance:4; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2401,8 +2401,8 @@ static int DetectEngineHttpRawUriTest17(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:body1; http_raw_uri; "
"content:bambu; http_raw_uri; "
"content:\"body1\"; http_raw_uri; "
"content:\"bambu\"; http_raw_uri; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2475,8 +2475,8 @@ static int DetectEngineHttpRawUriTest18(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:body1; http_raw_uri; "
"content:bambu; http_raw_uri; fast_pattern; "
"content:\"body1\"; http_raw_uri; "
"content:\"bambu\"; http_raw_uri; fast_pattern; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2549,8 +2549,8 @@ static int DetectEngineHttpRawUriTest19(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:bambu; http_raw_uri; "
"content:is; http_raw_uri; "
"content:\"bambu\"; http_raw_uri; "
"content:\"is\"; http_raw_uri; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2623,8 +2623,8 @@ static int DetectEngineHttpRawUriTest20(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"content:bambu; http_raw_uri; "
"content:is; http_raw_uri; fast_pattern; "
"content:\"bambu\"; http_raw_uri; "
"content:\"is\"; http_raw_uri; fast_pattern; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2715,7 +2715,7 @@ static int DetectEngineHttpRawUriTest21(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"pcre:/\\.\\/a/I; "
"content:!/c/; http_raw_uri; within:5; "
"content:!\"/c/\"; http_raw_uri; within:5; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2836,7 +2836,7 @@ static int DetectEngineHttpRawUriTest22(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"pcre:/\\.\\/a/I; "
"content:!/c/; within:5; http_raw_uri; "
"content:!\"/c/\"; within:5; http_raw_uri; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -2957,7 +2957,7 @@ static int DetectEngineHttpRawUriTest23(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"pcre:/\\.\\/a/I; "
"content:!/c/; distance:3; http_raw_uri; "
"content:!\"/c/\"; distance:3; http_raw_uri; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -3078,7 +3078,7 @@ static int DetectEngineHttpRawUriTest24(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"pcre:/\\.\\/a/I; "
"content:!/c/; distance:10; http_raw_uri; "
"content:!\"/c/\"; distance:10; http_raw_uri; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -3199,7 +3199,7 @@ static int DetectEngineHttpRawUriTest25(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"pcre:/\\.\\/a/I; "
"content:/c/; within:10; http_raw_uri; "
"content:\"/c/\"; within:10; http_raw_uri; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -3320,7 +3320,7 @@ static int DetectEngineHttpRawUriTest26(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"pcre:/\\.\\/a/I; "
"content:/c/; within:5; http_raw_uri; "
"content:\"/c/\"; within:5; http_raw_uri; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -3441,7 +3441,7 @@ static int DetectEngineHttpRawUriTest27(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"pcre:/\\.\\/a/I; "
"content:/c/; distance:5; http_raw_uri; "
"content:\"/c/\"; distance:5; http_raw_uri; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -3562,7 +3562,7 @@ static int DetectEngineHttpRawUriTest28(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http raw uri test\"; "
"pcre:/\\.\\/a/I; "
"content:/c/; distance:10; http_raw_uri; "
"content:\"/c/\"; distance:10; http_raw_uri; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -3670,7 +3670,7 @@ static int DetectEngineHttpRawUriTest29(void)
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"test multiple relative raw uri contents\"; "
"content:/c/; http_raw_uri; "
"content:\"/c/\"; http_raw_uri; "
"isdataat:4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
@ -3760,7 +3760,7 @@ static int DetectEngineHttpRawUriTest30(void)
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"test multiple relative raw uri contents\"; "
"uricontent:/c/; isdataat:!10,relative; sid:1;)");
"uricontent:\"/c/\"; isdataat:!10,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}

50
src/detect-engine-payload.c
Unescape Escape View File

@ -605,8 +605,8 @@ static int PayloadTestSig04(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:this; content:is; within:6; content:big; within:8; "
"content:string; within:8; sid:1;)";
"content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; "
"content:\"string\"; within:8; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
goto end;
@ -630,8 +630,8 @@ static int PayloadTestSig05(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:this; content:is; within:9; content:big; within:12; "
"content:string; within:8; sid:1;)";
"content:\"this\"; content:\"is\"; within:9; content:\"big\"; within:12; "
"content:\"string\"; within:8; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
goto end;
@ -655,8 +655,8 @@ static int PayloadTestSig06(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:now; content:this; content:is; within:12; content:big; within:8; "
"content:string; within:8; sid:1;)";
"content:\"now\"; content:\"this\"; content:\"is\"; within:12; content:\"big\"; within:8; "
"content:\"string\"; within:8; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
goto end;
@ -680,7 +680,7 @@ static int PayloadTestSig07(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:thus; offset:8; content:is; within:6; content:big; within:8; sid:1;)";
"content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
@ -706,7 +706,7 @@ static int PayloadTestSig08(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:fix; content:this; within:6; content:!\"and\"; distance:0; sid:1;)";
"content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 1) {
goto end;
@ -730,7 +730,7 @@ static int PayloadTestSig09(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"pcre:/super/; content:nova; within:7; sid:1;)";
"pcre:/super/; content:\"nova\"; within:7; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
@ -850,7 +850,7 @@ static int PayloadTestSig13(void)
uint16_t mpm_type = MPM_B2G;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:aa; content:aa; distance:0; content:aa; distance:0; "
"content:\"aa\"; content:\"aa\"; distance:0; content:\"aa\"; distance:0; "
"byte_test:1,>,200,0,relative; sid:1;)";
#include <sys/time.h>
@ -949,7 +949,7 @@ static int PayloadTestSig15(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:nova; isdataat:18,relative; sid:1;)";
"content:\"nova\"; isdataat:18,relative; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
@ -972,7 +972,7 @@ static int PayloadTestSig16(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:nova; isdataat:!20,relative; sid:1;)";
"content:\"nova\"; isdataat:!20,relative; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
@ -1023,9 +1023,9 @@ static int PayloadTestSig18(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:|01 02 03 04|; "
"content:\"|01 02 03 04|\"; "
"byte_extract:1,2,one,string,dec,relative; "
"content:|0C 0D 0E 0F|; distance:one; sid:1;)";
"content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
result = 0;
@ -1052,9 +1052,9 @@ static int PayloadTestSig19(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:|01 02 03 04|; "
"content:\"|01 02 03 04|\"; "
"byte_extract:1,2,one,string,hex,relative; "
"content:|0C 0D 0E 0F|; distance:one; sid:1;)";
"content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
result = 0;
@ -1081,9 +1081,9 @@ static int PayloadTestSig20(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:|01 02 03 04|; "
"content:\"|01 02 03 04|\"; "
"byte_extract:1,2,one,string,dec,relative; "
"content:|06 35 07 08|; offset:one; sid:1;)";
"content:\"|06 35 07 08|\"; offset:one; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
result = 0;
@ -1110,9 +1110,9 @@ static int PayloadTestSig21(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:|01 02 03 04|; "
"content:\"|01 02 03 04|\"; "
"byte_extract:1,2,one,string,dec,relative; "
"content:|03 04 05 06|; depth:one; sid:1;)";
"content:\"|03 04 05 06|\"; depth:one; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
result = 0;
@ -1139,9 +1139,9 @@ static int PayloadTestSig22(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:|01 02 03 04|; "
"content:\"|01 02 03 04|\"; "
"byte_extract:1,2,one,string,dec,relative; "
"content:|09 0A 0B 0C|; within:one; sid:1;)";
"content:\"|09 0A 0B 0C|\"; within:one; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
result = 0;
@ -1168,7 +1168,7 @@ static int PayloadTestSig23(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:|01 02 03 04|; "
"content:\"|01 02 03 04|\"; "
"byte_extract:1,2,one,string,dec,relative; "
"byte_extract:1,3,two,string,dec,relative; "
"byte_test:1,=,one,two,string,dec,relative; sid:1;)";
@ -1198,10 +1198,10 @@ static int PayloadTestSig24(void)
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:|01 02 03 04|; "
"content:\"|01 02 03 04|\"; "
"byte_extract:1,2,one,string,dec,relative; "
"byte_jump:1,one,string,dec,relative; "
"content:|0D 0E 0F|; distance:0; sid:1;)";
"content:\"|0D 0E 0F|\"; distance:0; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
result = 0;

80
src/detect-engine-siggroup.c
Unescape Escape View File

@ -1827,8 +1827,8 @@ static int SigGroupHeadTest06(void)
return 0;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:0;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:0;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -1836,8 +1836,8 @@ static int SigGroupHeadTest06(void)
prev_sig = de_ctx->sig_list;
prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:1;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:1;)");
if (prev_sig->next == NULL) {
result = 0;
goto end;
@ -1845,8 +1845,8 @@ static int SigGroupHeadTest06(void)
prev_sig = prev_sig->next;
prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:2;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:2;)");
if (prev_sig->next == NULL) {
result = 0;
goto end;
@ -1854,8 +1854,8 @@ static int SigGroupHeadTest06(void)
prev_sig = prev_sig->next;
prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:3;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:3;)");
if (prev_sig->next == NULL) {
result = 0;
goto end;
@ -1863,8 +1863,8 @@ static int SigGroupHeadTest06(void)
prev_sig = prev_sig->next;
prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:4;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:4;)");
if (prev_sig->next == NULL) {
result = 0;
goto end;
@ -1911,8 +1911,8 @@ static int SigGroupHeadTest07(void)
return 0;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:0;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:0;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -1920,8 +1920,8 @@ static int SigGroupHeadTest07(void)
prev_sig = de_ctx->sig_list;
prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:1;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:1;)");
if (prev_sig->next == NULL) {
result = 0;
goto end;
@ -1929,8 +1929,8 @@ static int SigGroupHeadTest07(void)
prev_sig = prev_sig->next;
prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:2;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:2;)");
if (prev_sig->next == NULL) {
result = 0;
goto end;
@ -1938,8 +1938,8 @@ static int SigGroupHeadTest07(void)
prev_sig = prev_sig->next;
prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:3;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:3;)");
if (prev_sig->next == NULL) {
result = 0;
goto end;
@ -1947,8 +1947,8 @@ static int SigGroupHeadTest07(void)
prev_sig = prev_sig->next;
prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:4;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:4;)");
if (prev_sig->next == NULL) {
result = 0;
goto end;
@ -2003,8 +2003,8 @@ static int SigGroupHeadTest08(void)
return 0;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:0;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:0;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -2012,8 +2012,8 @@ static int SigGroupHeadTest08(void)
prev_sig = de_ctx->sig_list;
prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:1;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:1;)");
if (prev_sig->next == NULL) {
result = 0;
goto end;
@ -2021,8 +2021,8 @@ static int SigGroupHeadTest08(void)
prev_sig = prev_sig->next;
prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:2;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:2;)");
if (prev_sig->next == NULL) {
result = 0;
goto end;
@ -2030,8 +2030,8 @@ static int SigGroupHeadTest08(void)
prev_sig = prev_sig->next;
prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:3;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:3;)");
if (prev_sig->next == NULL) {
result = 0;
goto end;
@ -2039,8 +2039,8 @@ static int SigGroupHeadTest08(void)
prev_sig = prev_sig->next;
prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:4;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:4;)");
if (prev_sig->next == NULL) {
result = 0;
goto end;
@ -2097,8 +2097,8 @@ static int SigGroupHeadTest09(void)
return 0;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:0;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:0;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -2106,8 +2106,8 @@ static int SigGroupHeadTest09(void)
prev_sig = de_ctx->sig_list;
prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:1;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:1;)");
if (prev_sig->next == NULL) {
result = 0;
goto end;
@ -2115,8 +2115,8 @@ static int SigGroupHeadTest09(void)
prev_sig = prev_sig->next;
prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:2;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:2;)");
if (prev_sig->next == NULL) {
result = 0;
goto end;
@ -2124,8 +2124,8 @@ static int SigGroupHeadTest09(void)
prev_sig = prev_sig->next;
prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:3;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:3;)");
if (prev_sig->next == NULL) {
result = 0;
goto end;
@ -2133,8 +2133,8 @@ static int SigGroupHeadTest09(void)
prev_sig = prev_sig->next;
prev_sig->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"SigGroupHead tests\"; content:test1; "
"content:test2; content:test3; sid:4;)");
"(msg:\"SigGroupHead tests\"; content:\"test1\"; "
"content:\"test2\"; content:\"test3\"; sid:4;)");
if (prev_sig->next == NULL) {
result = 0;
goto end;

72
src/detect-engine-uri.c
Unescape Escape View File

@ -546,7 +546,7 @@ static int UriTestSig01(void)
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Test uricontent option\"; "
"uricontent:one; sid:1;)");
"uricontent:\"one\"; sid:1;)");
if (s == NULL) {
goto end;
}
@ -1581,7 +1581,7 @@ static int UriTestSig10(void)
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Test uricontent with urilen option\"; "
"uricontent:one; urilen:<2; sid:1;)");
"uricontent:\"one\"; urilen:<2; sid:1;)");
if (s == NULL) {
goto end;
}
@ -1696,7 +1696,7 @@ static int UriTestSig11(void)
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Test content, uricontent, pcre /U and urilen options\"; "
"content:one; uricontent:one; pcre:/(one){2,}(self)?/U;"
"content:\"one\"; uricontent:\"one\"; pcre:/(one){2,}(self)?/U;"
"urilen:<2; sid:1;)");
if (s == NULL) {
goto end;
@ -1812,7 +1812,7 @@ static int UriTestSig12(void)
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Test pcre /U, uricontent and urilen option\"; "
"uricontent:one; "
"uricontent:\"one\"; "
"pcre:/(one)+self/U; urilen:>2; sid:1;)");
if (s == NULL) {
goto end;
@ -1928,7 +1928,7 @@ static int UriTestSig13(void)
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Test urilen option\"; "
"urilen:>2; uricontent:one; sid:1;)");
"urilen:>2; uricontent:\"one\"; sid:1;)");
if (s == NULL) {
goto end;
}
@ -2044,7 +2044,7 @@ static int UriTestSig14(void)
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Test uricontent option\"; "
"uricontent:one; pcre:/one(self)?/U;sid:1;)");
"uricontent:\"one\"; pcre:/one(self)?/U;sid:1;)");
if (s == NULL) {
goto end;
}
@ -2160,7 +2160,7 @@ static int UriTestSig15(void)
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Test uricontent option\"; "
"uricontent:one; pcre:/^\\/one(self)?$/U;sid:1;)");
"uricontent:\"one\"; pcre:/^\\/one(self)?$/U;sid:1;)");
if (s == NULL) {
goto end;
}
@ -2388,9 +2388,9 @@ static int UriTestSig17(void)
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"test multiple relative uricontents\"; "
"uricontent:this; uricontent:is; within:6; "
"uricontent:big; within:8; "
"uricontent:string; within:8; sid:1;)");
"uricontent:\"this\"; uricontent:\"is\"; within:6; "
"uricontent:\"big\"; within:8; "
"uricontent:\"string\"; within:8; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
@ -2479,9 +2479,9 @@ static int UriTestSig18(void)
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"test multiple relative uricontents\"; "
"uricontent:this; uricontent:is; within:9; "
"uricontent:big; within:12; "
"uricontent:string; within:8; sid:1;)");
"uricontent:\"this\"; uricontent:\"is\"; within:9; "
"uricontent:\"big\"; within:12; "
"uricontent:\"string\"; within:8; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
@ -2570,10 +2570,10 @@ static int UriTestSig19(void)
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"test multiple relative uricontents\"; "
"uricontent:now; uricontent:this; "
"uricontent:is; within:12; "
"uricontent:big; within:8; "
"uricontent:string; within:8; sid:1;)");
"uricontent:\"now\"; uricontent:\"this\"; "
"uricontent:\"is\"; within:12; "
"uricontent:\"big\"; within:8; "
"uricontent:\"string\"; within:8; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
@ -2662,9 +2662,9 @@ static int UriTestSig20(void)
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"test multiple relative uricontents\"; "
"uricontent:thus; offset:8; "
"uricontent:is; within:6; "
"uricontent:big; within:8; sid:1;)");
"uricontent:\"thus\"; offset:8; "
"uricontent:\"is\"; within:6; "
"uricontent:\"big\"; within:8; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
@ -2753,7 +2753,7 @@ static int UriTestSig21(void)
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"test multiple relative uricontents\"; "
"uricontent:fix; uricontent:this; within:6; "
"uricontent:\"fix\"; uricontent:\"this\"; within:6; "
"uricontent:!\"and\"; distance:0; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
@ -2844,7 +2844,7 @@ static int UriTestSig22(void)
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"test multiple relative uricontents\"; "
"pcre:/super/U; uricontent:nova; within:7; sid:1;)");
"pcre:/super/U; uricontent:\"nova\"; within:7; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
@ -2933,7 +2933,7 @@ static int UriTestSig23(void)
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"test multiple relative uricontents\"; "
"uricontent:!fix_this_now; sid:1;)");
"uricontent:!\"fix_this_now\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
@ -3022,7 +3022,7 @@ static int UriTestSig24(void)
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"test multiple relative uricontents\"; "
"uricontent:we_need_to; uricontent:!fix_this_now; sid:1;)");
"uricontent:\"we_need_to\"; uricontent:!\"fix_this_now\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
@ -3200,7 +3200,7 @@ static int UriTestSig26(void)
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"test multiple relative uricontents\"; "
"uricontent:fix_this; isdataat:4,relative; sid:1;)");
"uricontent:\"fix_this\"; isdataat:4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
@ -3289,7 +3289,7 @@ static int UriTestSig27(void)
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"test multiple relative uricontents\"; "
"uricontent:fix_this; isdataat:!10,relative; sid:1;)");
"uricontent:\"fix_this\"; isdataat:!10,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
@ -3410,9 +3410,9 @@ static int UriTestSig28(void)
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"dummy\"; "
"uricontent:this; "
"uricontent:\"this\"; "
"byte_extract:1,2,one,string,dec,relative; "
"uricontent:ring; distance:one; sid:1;)");
"uricontent:\"ring\"; distance:one; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
@ -3498,9 +3498,9 @@ static int UriTestSig29(void)
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"dummy\"; "
"uricontent:this; "
"uricontent:\"this\"; "
"byte_extract:1,2,one,string,dec,relative; "
"uricontent:ring; distance:one; sid:1;)");
"uricontent:\"ring\"; distance:one; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
@ -3586,9 +3586,9 @@ static int UriTestSig30(void)
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"dummy\"; "
"uricontent:this; "
"uricontent:\"this\"; "
"byte_extract:1,2,one,string,dec,relative; "
"uricontent:_b5ig; offset:one; sid:1;)");
"uricontent:\"_b5ig\"; offset:one; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
@ -3674,9 +3674,9 @@ static int UriTestSig31(void)
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"dummy\"; "
"uricontent:this; "
"uricontent:\"this\"; "
"byte_extract:1,2,one,string,dec,relative; "
"uricontent:his; depth:one; sid:1;)");
"uricontent:\"his\"; depth:one; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
@ -3762,9 +3762,9 @@ static int UriTestSig32(void)
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"dummy\"; "
"uricontent:this; "
"uricontent:\"this\"; "
"byte_extract:1,2,one,string,dec,relative; "
"uricontent:g_st; within:one; sid:1;)");
"uricontent:\"g_st\"; within:one; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}

922
src/detect-fast-pattern.c
View File

File diff suppressed because it is too large Load Diff

94
src/detect-http-client-body.c
Unescape Escape View File

@ -226,7 +226,7 @@ static int DetectHttpClientBodyTest01(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing http_client_body\"; "
"content:one; http_client_body; sid:1;)");
"content:\"one\"; http_client_body; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 1;
} else {
@ -263,7 +263,7 @@ static int DetectHttpClientBodyTest02(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing http_client_body\"; "
"content:one; http_client_body:; sid:1;)");
"content:\"one\"; http_client_body:; sid:1;)");
if (de_ctx->sig_list != NULL)
result = 1;
@ -319,7 +319,7 @@ static int DetectHttpClientBodyTest04(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing http_client_body\"; "
"content:one; rawbytes; http_client_body; sid:1;)");
"content:\"one\"; rawbytes; http_client_body; sid:1;)");
if (de_ctx->sig_list == NULL)
result = 1;
@ -347,7 +347,7 @@ static int DetectHttpClientBodyTest05(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing http_client_body\"; "
"content:one; http_client_body; nocase; sid:1;)");
"content:\"one\"; http_client_body; nocase; sid:1;)");
if (de_ctx->sig_list != NULL)
result = 1;
@ -411,7 +411,7 @@ static int DetectHttpClientBodyTest06(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:message; http_client_body; "
"content:\"message\"; http_client_body; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -639,7 +639,7 @@ static int DetectHttpClientBodyTest08(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:message; http_client_body; "
"content:\"message\"; http_client_body; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -763,7 +763,7 @@ static int DetectHttpClientBodyTest09(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:body1This; http_client_body; "
"content:\"body1This\"; http_client_body; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -886,7 +886,7 @@ static int DetectHttpClientBodyTest10(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:body1This; http_client_body; nocase;"
"content:\"body1This\"; http_client_body; nocase;"
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1000,7 +1000,7 @@ static int DetectHttpClientBodyTest11(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:!message1; http_client_body; "
"content:!\"message1\"; http_client_body; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1098,7 +1098,7 @@ static int DetectHttpClientBodyTest12(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:!message; http_client_body; "
"content:!\"message\"; http_client_body; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1197,7 +1197,7 @@ static int DetectHttpClientBodyTest13(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http client body test\"; "
"content:abcdefghijklmnopqrstuvwxyz0123456789; http_client_body; "
"content:\"abcdefghijklmnopqrstuvwxyz0123456789\"; http_client_body; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1675,7 +1675,7 @@ int DetectHttpClientBodyTest16(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; content:one; http_client_body; sid:1;)");
"(content:\"one\"; content:\"one\"; http_client_body; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1714,7 +1714,7 @@ int DetectHttpClientBodyTest17(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_client_body; content:one; sid:1;)");
"(content:\"one\"; http_client_body; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1753,7 +1753,7 @@ int DetectHttpClientBodyTest18(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; content:one; content:one; http_client_body; content:one; sid:1;)");
"(content:\"one\"; content:\"one\"; content:\"one\"; http_client_body; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1792,7 +1792,7 @@ int DetectHttpClientBodyTest19(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_client_body; content:one; content:one; content:one; sid:1;)");
"(content:\"one\"; http_client_body; content:\"one\"; content:\"one\"; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1831,8 +1831,8 @@ int DetectHttpClientBodyTest20(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_client_body; "
"content:one; content:one; http_client_body; content:one; sid:1;)");
"(content:\"one\"; http_client_body; "
"content:\"one\"; content:\"one\"; http_client_body; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1872,8 +1872,8 @@ int DetectHttpClientBodyTest21(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_client_body; "
"content:one; content:one; http_client_body; content:two; sid:1;)");
"(content:\"one\"; http_client_body; "
"content:\"one\"; content:\"one\"; http_client_body; content:\"two\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1926,8 +1926,8 @@ int DetectHttpClientBodyTest22(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; content:two; http_client_body; "
"content:three; distance:10; http_client_body; content:four; sid:1;)");
"(content:\"one\"; content:\"two\"; http_client_body; "
"content:\"three\"; distance:10; http_client_body; content:\"four\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1981,8 +1981,8 @@ int DetectHttpClientBodyTest23(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_client_body; pcre:/two/; "
"content:three; distance:10; http_client_body; content:four; sid:1;)");
"(content:\"one\"; http_client_body; pcre:/two/; "
"content:\"three\"; distance:10; http_client_body; content:\"four\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -2035,8 +2035,8 @@ int DetectHttpClientBodyTest24(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_client_body; pcre:/two/; "
"content:three; distance:10; within:15; http_client_body; content:four; sid:1;)");
"(content:\"one\"; http_client_body; pcre:/two/; "
"content:\"three\"; distance:10; within:15; http_client_body; content:\"four\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -2089,9 +2089,9 @@ int DetectHttpClientBodyTest25(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_client_body; pcre:/two/; "
"content:three; distance:10; http_client_body; "
"content:four; distance:10; sid:1;)");
"(content:\"one\"; http_client_body; pcre:/two/; "
"content:\"three\"; distance:10; http_client_body; "
"content:\"four\"; distance:10; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -2145,9 +2145,9 @@ int DetectHttpClientBodyTest26(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; offset:10; http_client_body; pcre:/two/; "
"content:three; distance:10; http_client_body; depth:10; "
"content:four; distance:10; sid:1;)");
"(content:\"one\"; offset:10; http_client_body; pcre:/two/; "
"content:\"three\"; distance:10; http_client_body; depth:10; "
"content:\"four\"; distance:10; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -2201,9 +2201,9 @@ int DetectHttpClientBodyTest27(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; offset:10; http_client_body; pcre:/two/; distance:10; "
"content:three; distance:10; http_client_body; depth:10; "
"content:four; distance:10; sid:1;)");
"(content:\"one\"; offset:10; http_client_body; pcre:/two/; distance:10; "
"content:\"three\"; distance:10; http_client_body; depth:10; "
"content:\"four\"; distance:10; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
@ -2227,9 +2227,9 @@ int DetectHttpClientBodyTest28(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_client_body; pcre:/two/; "
"content:three; http_client_body; depth:10; "
"content:four; distance:10; sid:1;)");
"(content:\"one\"; http_client_body; pcre:/two/; "
"content:\"three\"; http_client_body; depth:10; "
"content:\"four\"; distance:10; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -2283,8 +2283,8 @@ int DetectHttpClientBodyTest29(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_client_body; "
"content:two; distance:0; http_client_body; sid:1;)");
"(content:\"one\"; http_client_body; "
"content:\"two\"; distance:0; http_client_body; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -2327,8 +2327,8 @@ int DetectHttpClientBodyTest30(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_client_body; "
"content:two; within:5; http_client_body; sid:1;)");
"(content:\"one\"; http_client_body; "
"content:\"two\"; within:5; http_client_body; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -2371,7 +2371,7 @@ int DetectHttpClientBodyTest31(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; within:5; http_client_body; sid:1;)");
"(content:\"one\"; within:5; http_client_body; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
@ -2395,7 +2395,7 @@ int DetectHttpClientBodyTest32(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_client_body; within:5; sid:1;)");
"(content:\"one\"; http_client_body; within:5; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
@ -2419,7 +2419,7 @@ int DetectHttpClientBodyTest33(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; within:5; sid:1;)");
"(content:\"one\"; within:5; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
@ -2444,7 +2444,7 @@ int DetectHttpClientBodyTest34(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(pcre:/one/P; "
"content:two; within:5; http_client_body; sid:1;)");
"content:\"two\"; within:5; http_client_body; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -2494,7 +2494,7 @@ int DetectHttpClientBodyTest35(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:two; http_client_body; "
"(content:\"two\"; http_client_body; "
"pcre:/one/PR; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
@ -2546,7 +2546,7 @@ int DetectHttpClientBodyTest36(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(pcre:/one/P; "
"content:two; distance:5; http_client_body; sid:1;)");
"content:\"two\"; distance:5; http_client_body; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;

24
src/detect-http-cookie.c
Unescape Escape View File

@ -397,7 +397,7 @@ int DetectHttpCookieTest07(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; content:one; http_cookie; sid:1;)");
"(content:\"one\"; content:\"one\"; http_cookie; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -436,7 +436,7 @@ int DetectHttpCookieTest08(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_cookie; content:one; sid:1;)");
"(content:\"one\"; http_cookie; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -475,7 +475,7 @@ int DetectHttpCookieTest09(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; content:one; content:one; http_cookie; content:one; sid:1;)");
"(content:\"one\"; content:\"one\"; content:\"one\"; http_cookie; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -514,7 +514,7 @@ int DetectHttpCookieTest10(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_cookie; content:one; content:one; content:one; sid:1;)");
"(content:\"one\"; http_cookie; content:\"one\"; content:\"one\"; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -553,8 +553,8 @@ int DetectHttpCookieTest11(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_cookie; "
"content:one; content:one; http_cookie; content:one; sid:1;)");
"(content:\"one\"; http_cookie; "
"content:\"one\"; content:\"one\"; http_cookie; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -594,8 +594,8 @@ int DetectHttpCookieTest12(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_cookie; "
"content:one; content:one; http_cookie; content:two; sid:1;)");
"(content:\"one\"; http_cookie; "
"content:\"one\"; content:\"one\"; http_cookie; content:\"two\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -856,7 +856,7 @@ static int DetectHttpCookieSigTest03(void) {
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
"\"HTTP cookie\"; content:boo; "
"\"HTTP cookie\"; content:\"boo\"; "
"http_cookie; sid:1;)");
if (s == NULL) {
goto end;
@ -945,7 +945,7 @@ static int DetectHttpCookieSigTest04(void) {
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
"\"HTTP cookie\"; content:!boo; "
"\"HTTP cookie\"; content:!\"boo\"; "
"http_cookie; sid:1;)");
if (s == NULL) {
goto end;
@ -1034,7 +1034,7 @@ static int DetectHttpCookieSigTest05(void) {
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
"\"HTTP cookie\"; content:dummy; nocase; "
"\"HTTP cookie\"; content:\"dummy\"; nocase; "
"http_cookie; sid:1;)");
if (s == NULL) {
goto end;
@ -1211,7 +1211,7 @@ static int DetectHttpCookieSigTest07(void) {
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
"\"HTTP cookie\"; content:!dummy; "
"\"HTTP cookie\"; content:!\"dummy\"; "
"http_cookie; sid:1;)");
if (s == NULL) {
goto end;

48
src/detect-http-header.c
Unescape Escape View File

@ -228,7 +228,7 @@ static int DetectHttpHeaderTest01(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing http_header\"; "
"content:one; http_header; sid:1;)");
"content:\"one\"; http_header; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 1;
} else {
@ -270,7 +270,7 @@ static int DetectHttpHeaderTest02(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing http_header\"; "
"content:one; http_header:; sid:1;)");
"content:\"one\"; http_header:; sid:1;)");
if (de_ctx->sig_list != NULL)
result = 1;
else
@ -330,7 +330,7 @@ static int DetectHttpHeaderTest04(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing http_header\"; "
"content:one; rawbytes; http_header; sid:1;)");
"content:\"one\"; rawbytes; http_header; sid:1;)");
if (de_ctx->sig_list == NULL)
result = 1;
else
@ -360,7 +360,7 @@ static int DetectHttpHeaderTest05(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing http_header\"; "
"content:one; nocase; http_header; sid:1;)");
"content:\"one\"; nocase; http_header; sid:1;)");
if (de_ctx->sig_list != NULL)
result = 1;
else
@ -531,7 +531,7 @@ static int DetectHttpHeaderTest07(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:Mozilla; http_header; "
"content:\"Mozilla\"; http_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1007,7 +1007,7 @@ static int DetectHttpHeaderTest11(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:!lalalalala; http_header; "
"content:!\"lalalalala\"; http_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1258,7 +1258,7 @@ int DetectHttpHeaderTest14(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; content:one; http_header; sid:1;)");
"(content:\"one\"; content:\"one\"; http_header; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1297,7 +1297,7 @@ int DetectHttpHeaderTest15(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_header; content:one; sid:1;)");
"(content:\"one\"; http_header; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1336,7 +1336,7 @@ int DetectHttpHeaderTest16(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; content:one; content:one; http_header; content:one; sid:1;)");
"(content:\"one\"; content:\"one\"; content:\"one\"; http_header; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1375,7 +1375,7 @@ int DetectHttpHeaderTest17(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_header; content:one; content:one; content:one; sid:1;)");
"(content:\"one\"; http_header; content:\"one\"; content:\"one\"; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1414,8 +1414,8 @@ int DetectHttpHeaderTest18(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_header; "
"content:one; content:one; http_header; content:one; sid:1;)");
"(content:\"one\"; http_header; "
"content:\"one\"; content:\"one\"; http_header; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1455,8 +1455,8 @@ int DetectHttpHeaderTest19(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_header; "
"content:one; content:one; http_header; content:two; sid:1;)");
"(content:\"one\"; http_header; "
"content:\"one\"; content:\"one\"; http_header; content:\"two\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1496,8 +1496,8 @@ int DetectHttpHeaderTest20(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_header; "
"content:two; distance:0; http_header; sid:1;)");
"(content:\"one\"; http_header; "
"content:\"two\"; distance:0; http_header; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1540,8 +1540,8 @@ int DetectHttpHeaderTest21(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_header; "
"content:two; within:5; http_header; sid:1;)");
"(content:\"one\"; http_header; "
"content:\"two\"; within:5; http_header; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1584,7 +1584,7 @@ int DetectHttpHeaderTest22(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; within:5; http_header; sid:1;)");
"(content:\"one\"; within:5; http_header; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
@ -1608,7 +1608,7 @@ int DetectHttpHeaderTest23(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_header; within:5; sid:1;)");
"(content:\"one\"; http_header; within:5; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
@ -1632,7 +1632,7 @@ int DetectHttpHeaderTest24(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; within:5; sid:1;)");
"(content:\"one\"; within:5; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
@ -1657,7 +1657,7 @@ int DetectHttpHeaderTest25(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(pcre:/one/H; "
"content:two; within:5; http_header; sid:1;)");
"content:\"two\"; within:5; http_header; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1707,7 +1707,7 @@ int DetectHttpHeaderTest26(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:two; http_header; "
"(content:\"two\"; http_header; "
"pcre:/one/HR; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
@ -1759,7 +1759,7 @@ int DetectHttpHeaderTest27(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(pcre:/one/H; "
"content:two; distance:5; http_header; sid:1;)");
"content:\"two\"; distance:5; http_header; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;

20
src/detect-http-method.c
Unescape Escape View File

@ -346,7 +346,7 @@ int DetectHttpMethodTest06(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; content:one; http_method; sid:1;)");
"(content:\"one\"; content:\"one\"; http_method; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -385,7 +385,7 @@ int DetectHttpMethodTest07(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_method; content:one; sid:1;)");
"(content:\"one\"; http_method; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -424,7 +424,7 @@ int DetectHttpMethodTest08(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; content:one; content:one; http_method; content:one; sid:1;)");
"(content:\"one\"; content:\"one\"; content:\"one\"; http_method; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -463,7 +463,7 @@ int DetectHttpMethodTest09(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_method; content:one; content:one; content:one; sid:1;)");
"(content:\"one\"; http_method; content:\"one\"; content:\"one\"; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -502,8 +502,8 @@ int DetectHttpMethodTest10(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_method; "
"content:one; content:one; http_method; content:one; sid:1;)");
"(content:\"one\"; http_method; "
"content:\"one\"; content:\"one\"; http_method; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -543,8 +543,8 @@ int DetectHttpMethodTest11(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_method; "
"content:one; content:one; http_method; content:two; sid:1;)");
"(content:\"one\"; http_method; "
"content:\"one\"; content:\"one\"; http_method; content:\"two\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -586,12 +586,12 @@ static int DetectHttpMethodTest12(void)
de_ctx->flags |= DE_QUIET;
if (DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
"(content:one; http_method; nocase; sid:1;)") == NULL) {
"(content:\"one\"; http_method; nocase; sid:1;)") == NULL) {
printf("DetectEngineAppend == NULL: ");
goto end;
}
if (DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
"(content:one; nocase; http_method; sid:2;)") == NULL) {
"(content:\"one\"; nocase; http_method; sid:2;)") == NULL) {
printf("DetectEngineAppend == NULL: ");
goto end;
}

48
src/detect-http-raw-header.c
Unescape Escape View File

@ -225,7 +225,7 @@ static int DetectHttpRawHeaderTest01(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing http_header\"; "
"content:one; http_raw_header; sid:1;)");
"content:\"one\"; http_raw_header; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 1;
} else {
@ -267,7 +267,7 @@ static int DetectHttpRawHeaderTest02(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing http_header\"; "
"content:one; http_raw_header:; sid:1;)");
"content:\"one\"; http_raw_header:; sid:1;)");
if (de_ctx->sig_list != NULL)
result = 1;
else
@ -327,7 +327,7 @@ static int DetectHttpRawHeaderTest04(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing http_header\"; "
"content:one; rawbytes; http_raw_header; sid:1;)");
"content:\"one\"; rawbytes; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL)
result = 1;
else
@ -357,7 +357,7 @@ static int DetectHttpRawHeaderTest05(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing http_header\"; "
"content:one; nocase; http_raw_header; sid:1;)");
"content:\"one\"; nocase; http_raw_header; sid:1;)");
if (de_ctx->sig_list != NULL)
result = 1;
else
@ -528,7 +528,7 @@ static int DetectHttpRawHeaderTest07(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:Mozilla; http_raw_header; "
"content:\"Mozilla\"; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1003,7 +1003,7 @@ static int DetectHttpRawHeaderTest11(void)
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:!lalalalala; http_raw_header; "
"content:!\"lalalalala\"; http_raw_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
@ -1254,7 +1254,7 @@ int DetectHttpRawHeaderTest14(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; content:one; http_raw_header; sid:1;)");
"(content:\"one\"; content:\"one\"; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1293,7 +1293,7 @@ int DetectHttpRawHeaderTest15(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_raw_header; content:one; sid:1;)");
"(content:\"one\"; http_raw_header; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1332,7 +1332,7 @@ int DetectHttpRawHeaderTest16(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; content:one; content:one; http_raw_header; content:one; sid:1;)");
"(content:\"one\"; content:\"one\"; content:\"one\"; http_raw_header; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1371,7 +1371,7 @@ int DetectHttpRawHeaderTest17(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_raw_header; content:one; content:one; content:one; sid:1;)");
"(content:\"one\"; http_raw_header; content:\"one\"; content:\"one\"; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1410,8 +1410,8 @@ int DetectHttpRawHeaderTest18(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_raw_header; "
"content:one; content:one; http_raw_header; content:one; sid:1;)");
"(content:\"one\"; http_raw_header; "
"content:\"one\"; content:\"one\"; http_raw_header; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1451,8 +1451,8 @@ int DetectHttpRawHeaderTest19(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_raw_header; "
"content:one; content:one; http_raw_header; content:two; sid:1;)");
"(content:\"one\"; http_raw_header; "
"content:\"one\"; content:\"one\"; http_raw_header; content:\"two\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1492,8 +1492,8 @@ int DetectHttpRawHeaderTest20(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_raw_header; "
"content:two; distance:0; http_raw_header; sid:1;)");
"(content:\"one\"; http_raw_header; "
"content:\"two\"; distance:0; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1536,8 +1536,8 @@ int DetectHttpRawHeaderTest21(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_raw_header; "
"content:two; within:5; http_raw_header; sid:1;)");
"(content:\"one\"; http_raw_header; "
"content:\"two\"; within:5; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1580,7 +1580,7 @@ int DetectHttpRawHeaderTest22(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; within:5; http_raw_header; sid:1;)");
"(content:\"one\"; within:5; http_raw_header; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
@ -1604,7 +1604,7 @@ int DetectHttpRawHeaderTest23(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_raw_header; within:5; sid:1;)");
"(content:\"one\"; http_raw_header; within:5; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
@ -1628,7 +1628,7 @@ int DetectHttpRawHeaderTest24(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; within:5; sid:1;)");
"(content:\"one\"; within:5; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
@ -1653,7 +1653,7 @@ int DetectHttpRawHeaderTest25(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(pcre:/one/D; "
"content:two; within:5; http_raw_header; sid:1;)");
"content:\"two\"; within:5; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -1703,7 +1703,7 @@ int DetectHttpRawHeaderTest26(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:two; http_raw_header; "
"(content:\"two\"; http_raw_header; "
"pcre:/one/DR; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
@ -1755,7 +1755,7 @@ int DetectHttpRawHeaderTest27(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(pcre:/one/D; "
"content:two; distance:5; http_raw_header; sid:1;)");
"content:\"two\"; distance:5; http_raw_header; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;

58
src/detect-http-raw-uri.c
Unescape Escape View File

@ -359,7 +359,7 @@ int DetectHttpRawUriTest06(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; content:one; http_raw_uri; sid:1;)");
"(content:\"one\"; content:\"one\"; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -400,8 +400,8 @@ int DetectHttpRawUriTest07(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_raw_uri; "
"content:one; sid:1;)");
"(content:\"one\"; http_raw_uri; "
"content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -442,9 +442,9 @@ int DetectHttpRawUriTest08(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; "
"content:one; "
"content:one; http_raw_uri; content:one; "
"(content:\"one\"; "
"content:\"one\"; "
"content:\"one\"; http_raw_uri; content:\"one\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
@ -486,10 +486,10 @@ int DetectHttpRawUriTest09(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_raw_uri; "
"content:one; "
"content:one; "
"content:one; sid:1;)");
"(content:\"one\"; http_raw_uri; "
"content:\"one\"; "
"content:\"one\"; "
"content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -530,10 +530,10 @@ int DetectHttpRawUriTest10(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_raw_uri; "
"content:one; "
"content:one; http_raw_uri; "
"content:one; sid:1;)");
"(content:\"one\"; http_raw_uri; "
"content:\"one\"; "
"content:\"one\"; http_raw_uri; "
"content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -576,10 +576,10 @@ int DetectHttpRawUriTest11(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_raw_uri; "
"content:one; "
"content:one; http_raw_uri; "
"content:two; sid:1;)");
"(content:\"one\"; http_raw_uri; "
"content:\"one\"; "
"content:\"one\"; http_raw_uri; "
"content:\"two\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -622,8 +622,8 @@ int DetectHttpRawUriTest12(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_raw_uri; "
"content:two; distance:0; http_raw_uri; sid:1;)");
"(content:\"one\"; http_raw_uri; "
"content:\"two\"; distance:0; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -669,8 +669,8 @@ int DetectHttpRawUriTest13(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_raw_uri; "
"content:two; within:5; http_raw_uri; sid:1;)");
"(content:\"one\"; http_raw_uri; "
"content:\"two\"; within:5; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -716,7 +716,7 @@ int DetectHttpRawUriTest14(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; within:5; http_raw_uri; sid:1;)");
"(content:\"one\"; within:5; http_raw_uri; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
@ -740,7 +740,7 @@ int DetectHttpRawUriTest15(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_raw_uri; within:5; sid:1;)");
"(content:\"one\"; http_raw_uri; within:5; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
@ -764,7 +764,7 @@ int DetectHttpRawUriTest16(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; within:5; sid:1;)");
"(content:\"one\"; within:5; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
@ -788,8 +788,8 @@ int DetectHttpRawUriTest17(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_raw_uri; "
"content:two; distance:0; http_raw_uri; sid:1;)");
"(content:\"one\"; http_raw_uri; "
"content:\"two\"; distance:0; http_raw_uri; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -835,8 +835,8 @@ int DetectHttpRawUriTest18(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_raw_uri; "
"content:two; within:5; http_raw_uri; "
"(content:\"one\"; http_raw_uri; "
"content:\"two\"; within:5; http_raw_uri; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");

38
src/detect-http-uri.c
Unescape Escape View File

@ -343,7 +343,7 @@ int DetectHttpUriTest06(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; content:one; http_uri; sid:1;)");
"(content:\"one\"; content:\"one\"; http_uri; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -382,7 +382,7 @@ int DetectHttpUriTest07(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_uri; content:one; sid:1;)");
"(content:\"one\"; http_uri; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -421,7 +421,7 @@ int DetectHttpUriTest08(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; content:one; content:one; http_uri; content:one; sid:1;)");
"(content:\"one\"; content:\"one\"; content:\"one\"; http_uri; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -460,7 +460,7 @@ int DetectHttpUriTest09(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_uri; content:one; content:one; content:one; sid:1;)");
"(content:\"one\"; http_uri; content:\"one\"; content:\"one\"; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -499,8 +499,8 @@ int DetectHttpUriTest10(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_uri; "
"content:one; content:one; http_uri; content:one; sid:1;)");
"(content:\"one\"; http_uri; "
"content:\"one\"; content:\"one\"; http_uri; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -540,8 +540,8 @@ int DetectHttpUriTest11(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_uri; "
"content:one; content:one; http_uri; content:two; sid:1;)");
"(content:\"one\"; http_uri; "
"content:\"one\"; content:\"one\"; http_uri; content:\"two\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -581,8 +581,8 @@ int DetectHttpUriTest12(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_uri; "
"content:two; distance:0; http_uri; sid:1;)");
"(content:\"one\"; http_uri; "
"content:\"two\"; distance:0; http_uri; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -625,8 +625,8 @@ int DetectHttpUriTest13(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_uri; "
"content:two; within:5; http_uri; sid:1;)");
"(content:\"one\"; http_uri; "
"content:\"two\"; within:5; http_uri; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -669,7 +669,7 @@ int DetectHttpUriTest14(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; within:5; http_uri; sid:1;)");
"(content:\"one\"; within:5; http_uri; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
@ -693,7 +693,7 @@ int DetectHttpUriTest15(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_uri; within:5; sid:1;)");
"(content:\"one\"; http_uri; within:5; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
@ -717,7 +717,7 @@ int DetectHttpUriTest16(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; within:5; sid:1;)");
"(content:\"one\"; within:5; sid:1;)");
if (de_ctx->sig_list != NULL) {
printf("de_ctx->sig_list != NULL\n");
goto end;
@ -741,8 +741,8 @@ int DetectHttpUriTest17(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(uricontent:one; "
"content:two; distance:0; http_uri; sid:1;)");
"(uricontent:\"one\"; "
"content:\"two\"; distance:0; http_uri; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -785,8 +785,8 @@ int DetectHttpUriTest18(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(uricontent:one; "
"content:two; within:5; http_uri; sid:1;)");
"(uricontent:\"one\"; "
"content:\"two\"; within:5; http_uri; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;

24
src/detect-isdataat.c
Unescape Escape View File

@ -572,7 +572,7 @@ int DetectIsdataatTestParse05(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; distance:0; "
"content:\"one\"; distance:0; "
"isdataat:4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
@ -595,7 +595,7 @@ int DetectIsdataatTestParse05(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; distance:0; "
"content:\"one\"; distance:0; "
"isdataat:4,relative; sid:1;)");
if (s->next == NULL) {
result = 0;
@ -618,7 +618,7 @@ int DetectIsdataatTestParse05(void)
"(msg:\"Testing bytejump_body\"; "
"dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
"dce_stub_data; "
"content:one; distance:0; "
"content:\"one\"; distance:0; "
"isdataat:4,relative,rawbytes; sid:1;)");
if (s->next == NULL) {
result = 0;
@ -639,7 +639,7 @@ int DetectIsdataatTestParse05(void)
s->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; isdataat:4,relative,rawbytes; sid:1;)");
"content:\"one\"; isdataat:4,relative,rawbytes; sid:1;)");
if (s->next == NULL) {
result = 0;
goto end;
@ -672,7 +672,7 @@ int DetectIsdataatTestParse06(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; "
"content:\"one\"; "
"isdataat:!4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
@ -716,7 +716,7 @@ int DetectIsdataatTestParse07(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"uricontent:one; "
"uricontent:\"one\"; "
"isdataat:!4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
@ -760,7 +760,7 @@ int DetectIsdataatTestParse08(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; http_uri; "
"content:\"one\"; http_uri; "
"isdataat:!4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
@ -804,7 +804,7 @@ int DetectIsdataatTestParse09(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; http_client_body; "
"content:\"one\"; http_client_body; "
"isdataat:!4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
@ -848,7 +848,7 @@ int DetectIsdataatTestParse10(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; http_header; "
"content:\"one\"; http_header; "
"isdataat:!4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
@ -892,7 +892,7 @@ int DetectIsdataatTestParse11(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; http_raw_header; "
"content:\"one\"; http_raw_header; "
"isdataat:!4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
@ -936,7 +936,7 @@ int DetectIsdataatTestParse12(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; http_method; "
"content:\"one\"; http_method; "
"isdataat:!4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
@ -980,7 +980,7 @@ int DetectIsdataatTestParse13(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; http_cookie; "
"content:\"one\"; http_cookie; "
"isdataat:!4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;

2
src/detect-pcre.c
Unescape Escape View File

@ -1503,7 +1503,7 @@ int DetectPcreParseTest11(void)
s->next = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:one; pcre:/bamboo/; sid:1;)");
"content:\"one\"; pcre:/bamboo/; sid:1;)");
if (s->next == NULL) {
result = 0;
goto end;

13
src/detect-priority.c
Unescape Escape View File

@ -94,10 +94,21 @@ static int DetectPrioritySetup (DetectEngineCtx *de_ctx, Signature *s, char *raw
return -1;
}
long prio = 0;
char *endptr = NULL;
prio = strtol(rawstr, &endptr, 10);
if (endptr == NULL || *endptr != '\0') {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Saw an invalid character as arg "
"to priority keyword");
goto error;
}
s->prio = prio;
/* if we have reached here, we have had a valid priority. Assign it */
s->prio = atoi(prio_str);
//s->prio = atoi(prio_str);
return 0;
error:
return -1;
}
/*------------------------------Unittests-------------------------------------*/

16
src/detect-rev.c
Unescape Escape View File

@ -53,10 +53,24 @@ static int DetectRevSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
dubbed = 1;
}
s->rev = (uint8_t)atoi(str);
long rev = 0;
char *endptr = NULL;
rev = strtol(rawstr, &endptr, 10);
if (endptr == NULL || *endptr != '\0') {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Saw an invalid character as arg "
"to rev keyword");
goto error;
}
s->rev = rev;
//s->rev = (uint8_t)atoi(str);
if (dubbed)
SCFree(str);
return 0;
error:
if (dubbed)
SCFree(str);
return -1;
}

16
src/detect-sid.c
Unescape Escape View File

@ -53,10 +53,24 @@ static int DetectSidSetup (DetectEngineCtx *de_ctx, Signature *s, char *sidstr)
dubbed = 1;
}
s->id = (uint32_t)atoi(str);
long id = 0;
char *endptr = NULL;
id = strtol(sidstr, &endptr, 10);
if (endptr == NULL || *endptr != '\0') {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Saw an invalid character as arg "
"to sid keyword");
goto error;
}
s->id = id;
//s->id = (uint32_t)atoi(str);
if (dubbed)
SCFree(str);
return 0;
error:
if (dubbed)
SCFree(str);
return -1;
}

57
src/detect-uricontent.c
Unescape Escape View File

@ -225,16 +225,21 @@ DetectContentData *DoDetectUricontentSetup (char * contentstr)
if ((str = SCStrdup(temp + pos + 1)) == NULL)
goto error;
str[strlen(temp) - pos - 2] = '\0';
} else if (temp[pos] == '\"' || temp[pos + strlen(temp + pos) - 1] == '\"') {
goto error;
} else {
if ((str = SCStrdup(temp + pos)) == NULL)
goto error;
SCLogError(SC_ERR_INVALID_SIGNATURE, "uricontent keywords's argument "
"should be always enclosed in double quotes. Invalid "
"content keyword passed in this rule - \"%s\"",
contentstr);
goto error;
}
str[strlen(temp) - pos - 2] = '\0';
SCFree(temp);
temp = NULL;
len = strlen(str);
if (len == 0)
goto error;
SCLogDebug("\"%s\", len %" PRIu32 "", str, len);
char converted = 0;
@ -1655,7 +1660,7 @@ int DetectUriSigTest08(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; uricontent:""; sid:238012;)");
"(msg:\"test\"; uricontent:\"\"; sid:238012;)");
if (de_ctx->sig_list != NULL) {
result = 0;
goto end;
@ -1811,7 +1816,7 @@ int DetectUriContentParseTest13(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; uricontent:|; sid:1;)");
"(msg:\"test\"; uricontent:\"|\"; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 0;
goto end;
@ -1840,7 +1845,7 @@ int DetectUriContentParseTest14(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; uricontent:|af; sid:1;)");
"(msg:\"test\"; uricontent:\"|af\"; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 0;
goto end;
@ -1869,7 +1874,7 @@ int DetectUriContentParseTest15(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; uricontent:af|; sid:1;)");
"(msg:\"test\"; uricontent:\"af|\"; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 0;
goto end;
@ -1898,7 +1903,7 @@ int DetectUriContentParseTest16(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; uricontent:|af|; sid:1;)");
"(msg:\"test\"; uricontent:\"|af|\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -1927,7 +1932,7 @@ int DetectUriContentParseTest17(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; uricontent:aast|; sid:1;)");
"(msg:\"test\"; uricontent:\"aast|\"; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 0;
goto end;
@ -1956,7 +1961,7 @@ int DetectUriContentParseTest18(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; uricontent:aast|af; sid:1;)");
"(msg:\"test\"; uricontent:\"aast|af\"; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 0;
goto end;
@ -1985,7 +1990,7 @@ int DetectUriContentParseTest19(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; uricontent:aast|af|; sid:1;)");
"(msg:\"test\"; uricontent:\"aast|af|\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -2014,7 +2019,7 @@ int DetectUriContentParseTest20(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; uricontent:|af|asdf; sid:1;)");
"(msg:\"test\"; uricontent:\"|af|asdf\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -2043,7 +2048,7 @@ int DetectUriContentParseTest21(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; uricontent:|af|af|; sid:1;)");
"(msg:\"test\"; uricontent:\"|af|af|\"; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 0;
goto end;
@ -2072,7 +2077,7 @@ int DetectUriContentParseTest22(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; uricontent:|af|af|af; sid:1;)");
"(msg:\"test\"; uricontent:\"|af|af|af\"; sid:1;)");
if (de_ctx->sig_list != NULL) {
result = 0;
goto end;
@ -2101,7 +2106,7 @@ int DetectUriContentParseTest23(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert udp any any -> any any "
"(msg:\"test\"; uricontent:|af|af|af|; sid:1;)");
"(msg:\"test\"; uricontent:\"|af|af|af|\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -2125,7 +2130,7 @@ int DetectUricontentSigTest08(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; content:one; http_uri; sid:1;)");
"(content:\"one\"; content:\"one\"; http_uri; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -2164,7 +2169,7 @@ int DetectUricontentSigTest09(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(uricontent:one; content:one; sid:1;)");
"(uricontent:\"one\"; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -2203,8 +2208,8 @@ int DetectUricontentSigTest10(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(uricontent:one; content:one; content:one; http_uri; "
"content:two; content:one; sid:1;)");
"(uricontent:\"one\"; content:\"one\"; content:\"one\"; http_uri; "
"content:\"two\"; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -2246,8 +2251,8 @@ int DetectUricontentSigTest11(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_uri; content:one; uricontent:one; "
"content:two; content:one; sid:1;)");
"(content:\"one\"; http_uri; content:\"one\"; uricontent:\"one\"; "
"content:\"two\"; content:\"one\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;
@ -2289,10 +2294,10 @@ int DetectUricontentSigTest12(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:one; http_uri; content:one; uricontent:one; "
"content:two; content:one; http_uri; content:one; "
"uricontent:one; uricontent: two; "
"content:one; content:three; sid:1;)");
"(content:\"one\"; http_uri; content:\"one\"; uricontent:\"one\"; "
"content:\"two\"; content:\"one\"; http_uri; content:\"one\"; "
"uricontent:\"one\"; uricontent: \"two\"; "
"content:\"one\"; content:\"three\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
goto end;

2
src/detect-within.c
Unescape Escape View File

@ -893,7 +893,7 @@ int DetectWithinTestPacket02 (void) {
goto end;
char sig[] = "alert tcp any any -> any any (msg:\"pcre with within "
"modifier\"; content:Five; content:Ten; within:3; distance:1; sid:1;)";
"modifier\"; content:\"Five\"; content:\"Ten\"; within:3; distance:1; sid:1;)";
result = UTHPacketMatchSig(p, sig);

4
src/log-droplog.c
Unescape Escape View File

@ -428,7 +428,7 @@ int LogDropLogTest01()
SCClassConfDeleteDummyClassificationConfigFD();
de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any any "
"(msg:\"LogDropLog test\"; content:GET; Classtype:unknown; sid:1;)");
"(msg:\"LogDropLog test\"; content:\"GET\"; Classtype:unknown; sid:1;)");
result = (de_ctx->sig_list != NULL);
@ -496,7 +496,7 @@ int LogDropLogTest02()
SCClassConfDeleteDummyClassificationConfigFD();
de_ctx->sig_list = SigInit(de_ctx, "alert udp any any -> any any "
"(msg:\"LogDropLog test\"; content:GET; Classtype:unknown; sid:1;)");
"(msg:\"LogDropLog test\"; content:\"GET\"; Classtype:unknown; sid:1;)");
result = (de_ctx->sig_list != NULL);

68
src/util-mpm-b2g-cuda.c
Unescape Escape View File

@ -2591,7 +2591,7 @@ static int B2gCudaTest02(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:test; sid:1;)");
"content:\"test\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("signature parsing failed\n");
goto end;
@ -2810,7 +2810,7 @@ static int B2gCudaTest03(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:test; sid:0;)");
"content:\"test\"; sid:0;)");
if (de_ctx->sig_list == NULL) {
printf("signature parsing failed\n");
goto end;
@ -2818,7 +2818,7 @@ static int B2gCudaTest03(void)
sig = de_ctx->sig_list;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:one; sid:1;)");
"content:\"one\"; sid:1;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -2826,7 +2826,7 @@ static int B2gCudaTest03(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:two; sid:2;)");
"content:\"two\"; sid:2;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -2834,7 +2834,7 @@ static int B2gCudaTest03(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:three; sid:3;)");
"content:\"three\"; sid:3;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -2842,7 +2842,7 @@ static int B2gCudaTest03(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:four; sid:4;)");
"content:\"four\"; sid:4;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -2850,7 +2850,7 @@ static int B2gCudaTest03(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:five; sid:5;)");
"content:\"five\"; sid:5;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -2858,7 +2858,7 @@ static int B2gCudaTest03(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:six; sid:6;)");
"content:\"six\"; sid:6;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -2866,7 +2866,7 @@ static int B2gCudaTest03(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:seven; sid:7;)");
"content:\"seven\"; sid:7;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -2874,7 +2874,7 @@ static int B2gCudaTest03(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:eight; sid:8;)");
"content:\"eight\"; sid:8;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -2882,7 +2882,7 @@ static int B2gCudaTest03(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:nine; sid:9;)");
"content:\"nine\"; sid:9;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -2890,7 +2890,7 @@ static int B2gCudaTest03(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:ten; sid:10;)");
"content:\"ten\"; sid:10;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3133,7 +3133,7 @@ static int B2gCudaTest04(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:test; sid:0;)");
"content:\"test\"; sid:0;)");
if (de_ctx->sig_list == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3141,7 +3141,7 @@ static int B2gCudaTest04(void)
sig = de_ctx->sig_list;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:one; sid:1;)");
"content:\"one\"; sid:1;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3149,7 +3149,7 @@ static int B2gCudaTest04(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:two; sid:2;)");
"content:\"two\"; sid:2;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3157,7 +3157,7 @@ static int B2gCudaTest04(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:three; sid:3;)");
"content:\"three\"; sid:3;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3165,7 +3165,7 @@ static int B2gCudaTest04(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:four; sid:4;)");
"content:\"four\"; sid:4;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3173,7 +3173,7 @@ static int B2gCudaTest04(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:five; sid:5;)");
"content:\"five\"; sid:5;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3181,7 +3181,7 @@ static int B2gCudaTest04(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:six; sid:6;)");
"content:\"six\"; sid:6;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3189,7 +3189,7 @@ static int B2gCudaTest04(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:seven; sid:7;)");
"content:\"seven\"; sid:7;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3197,7 +3197,7 @@ static int B2gCudaTest04(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:eight; sid:8;)");
"content:\"eight\"; sid:8;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3205,7 +3205,7 @@ static int B2gCudaTest04(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:nine; sid:9;)");
"content:\"nine\"; sid:9;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3213,7 +3213,7 @@ static int B2gCudaTest04(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:ten; sid:10;)");
"content:\"ten\"; sid:10;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3477,7 +3477,7 @@ static int B2gCudaTest05(void)
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:test; sid:0;)");
"content:\"test\"; sid:0;)");
if (de_ctx->sig_list == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3485,7 +3485,7 @@ static int B2gCudaTest05(void)
sig = de_ctx->sig_list;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:one; sid:1;)");
"content:\"one\"; sid:1;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3493,7 +3493,7 @@ static int B2gCudaTest05(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:two; sid:2;)");
"content:\"two\"; sid:2;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3501,7 +3501,7 @@ static int B2gCudaTest05(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:three; sid:3;)");
"content:\"three\"; sid:3;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3509,7 +3509,7 @@ static int B2gCudaTest05(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:four; sid:4;)");
"content:\"four\"; sid:4;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3517,7 +3517,7 @@ static int B2gCudaTest05(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:five; sid:5;)");
"content:\"five\"; sid:5;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3525,7 +3525,7 @@ static int B2gCudaTest05(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:six; sid:6;)");
"content:\"six\"; sid:6;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3533,7 +3533,7 @@ static int B2gCudaTest05(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:seven; sid:7;)");
"content:\"seven\"; sid:7;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3541,7 +3541,7 @@ static int B2gCudaTest05(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:eight; sid:8;)");
"content:\"eight\"; sid:8;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3549,7 +3549,7 @@ static int B2gCudaTest05(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:nine; sid:9;)");
"content:\"nine\"; sid:9;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;
@ -3557,7 +3557,7 @@ static int B2gCudaTest05(void)
sig = sig->next;
sig->next = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Bamboo\"; "
"content:ten; sid:10;)");
"content:\"ten\"; sid:10;)");
if (sig->next == NULL) {
printf("signature parsing failed\n");
goto end;

Write Preview
Loading…
Cancel
Save