From d05e4202d4480e54f913c5e0d1f3620fad9f071b Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Tue, 2 Mar 2010 15:02:40 +0530 Subject: [PATCH] Fix for bug 1. Update distance/within keyword to behave the way snort does --- src/detect-content.c | 449 ++++++++++++++++++++++++++++++++++++++------------ 1 files changed, 340 insertions(+), 109 deletions(-) diff --git a/src/detect-content.c b/src/detect-content.c index c924679..5298dc3 100644 --- a/src/detect-content.c +++ b/src/detect-content.c @@ -253,7 +253,8 @@ int TestWithinDistanceOffsetDepth(ThreadVars *t, if (nm->offset >= pktoff) { if ((!(nco->flags & DETECT_CONTENT_WITHIN) || (nco->within > 0 && (nm->offset > m->offset) && - (((nm->offset + nco->content_len) - m->offset) <= (nco->within + co->content_len))))) { + (((nm->offset + nco->content_len) - m->offset) <= + (nco->within + co->content_len + nco->distance))))) { SCLogDebug("MATCH: %" PRIu32 " <= WITHIN(%" PRIu32 ")", (nm->offset + nco->content_len) - m->offset, nco->within + co->content_len); @@ -1540,7 +1541,9 @@ void DetectContentFree(void *ptr) { SCFree(cd); } -#ifdef UNITTESTS /* UNITTESTS */ +/*******************************Unittests**************************************/ + +#ifdef UNITTESTS /** * \test DetectCotentParseTest01 this is a test to make sure we can deal with escaped colons @@ -2712,7 +2715,7 @@ int DetectContentParseNegTest16(void) { return result; } -static int SigTestPositiveTestContent(char *rule, uint8_t *buf) +static int DetectContentSigTestPositiveTestContent(char *rule, uint8_t *buf) { uint16_t buflen = strlen((char *)buf); Packet p; @@ -2767,7 +2770,7 @@ end: return result; } -static int SigTestNegativeTestContent(char *rule, uint8_t *buf) +static int DetectContentSigTestNegativeTestContent(char *rule, uint8_t *buf) { uint16_t buflen = strlen((char *)buf); Packet p; @@ -2825,18 +2828,18 @@ end: * \test A positive test that checks that the content string doesn't contain * the negated content */ -static int SigTest41TestNegatedContent(void) +static int DetectContentSigTest41TestNegatedContent(void) { - return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!GES; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n"); + return DetectContentSigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!GES; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n"); } /** * \test A positive test that checks that the content string doesn't contain * the negated content within the specified depth */ -static int SigTest42TestNegatedContent(void) +static int DetectContentSigTest42TestNegatedContent(void) { // 01 5 10 15 20 24 - return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!twentythree; depth:22; offset:35; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!twentythree; depth:22; offset:35; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } /** @@ -2845,9 +2848,9 @@ static int SigTest42TestNegatedContent(void) * specified offset. If it is present in the depth we get a failure * anyways, and we don't do a check on the offset */ -static int SigTest43TestNegatedContent(void) +static int DetectContentSigTest43TestNegatedContent(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!twentythree; depth:15; offset:22; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!twentythree; depth:15; offset:22; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } /** @@ -2855,27 +2858,27 @@ static int SigTest43TestNegatedContent(void) * the negated content after the specified offset and within the specified * depth. */ -static int SigTest44TestNegatedContent(void) +static int DetectContentSigTest44TestNegatedContent(void) { - return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!twentythree; offset:40; depth:35; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!twentythree; offset:40; depth:35; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } /** * \test A positive test that uses a combination of content string with negated * content string */ -static int SigTest45TestNegatedContent(void) +static int DetectContentSigTest45TestNegatedContent(void) { - return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:5; content:!twentythree; depth:23; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:5; content:!twentythree; depth:23; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } /** * \test A negative test that uses a combination of content string with negated * content string, with we receiving a failure for 'onee' itself. */ -static int SigTest46TestNegatedContent(void) +static int DetectContentSigTest46TestNegatedContent(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:onee; content:!twentythree; depth:23; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:onee; content:!twentythree; depth:23; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } /** @@ -2883,197 +2886,381 @@ static int SigTest46TestNegatedContent(void) * content string, with we receiving a failure of first content's offset * condition */ -static int SigTest47TestNegatedContent(void) +static int DetectContentSigTest47TestNegatedContent(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; offset:5; content:!twentythree; depth:23; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; offset:5; content:!twentythree; depth:23; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } /** * \test A positive test that checks that we don't have a negated content within * the specified length from the previous content match. */ -static int SigTest48TestNegatedContent(void) +static int DetectContentSigTest48TestNegatedContent(void) { - return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:GET; content:!GES; within:26; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n"); + return DetectContentSigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:GET; content:!GES; within:26; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n"); } /** * \test A negative test that checks the combined use of content and negated * content with the use of within */ -static int SigTest49TestNegatedContent(void) +static int DetectContentSigTest49TestNegatedContent(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:GET; content:!Host; within:26; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n"); + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:GET; content:!Host; within:26; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n"); } /** * \test A positive test that checks the combined use of content and negated * content with the use of distance */ -static int SigTest50TestNegatedContent(void) +static int DetectContentSigTest50TestNegatedContent(void) { - return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:GET; content:!GES; distance:25; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n"); + return DetectContentSigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:GET; content:!GES; distance:25; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n"); } /** * \test A negative test that checks the combined use of content and negated * content with the use of distance */ -static int SigTest51TestNegatedContent(void) +static int DetectContentSigTest51TestNegatedContent(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:GET; content:!Host; distance:18; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n"); + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:GET; content:!Host; distance:18; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n"); } /** * \test A negative test that checks the combined use of content and negated * content, with the content not being present */ -static int SigTest52TestNegatedContent(void) +static int DetectContentSigTest52TestNegatedContent(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:GES; content:!BOO; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n"); + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:GES; content:!BOO; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n"); } /** * \test A negative test that checks the combined use of content and negated * content, in the presence of within */ -static int SigTest53TestNegatedContent(void) +static int DetectContentSigTest53TestNegatedContent(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } /** * \test A positive test that checks the combined use of content and negated * content, in the presence of within */ -static int SigTest54TestNegatedContent(void) +static int DetectContentSigTest54TestNegatedContent(void) { - return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; within:20; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; within:20; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } /** * \test A negative test that checks the use of negated content along with * the presence of depth */ -static int SigTest55TestNegatedContent(void) +static int DetectContentSigTest55TestNegatedContent(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!one; depth:5; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!one; depth:5; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } /** * \test A positive test that checks the combined use of 2 contents in the * presence of within */ -static int SigTest56TestNegatedContent(void) +static int DetectContentSigTest56TestNegatedContent(void) { - return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:fourty; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:fourty; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } /** * \test A negative test that checks the combined use of content and negated * content, in the presence of within */ -static int SigTest57TestNegatedContent(void) +static int DetectContentSigTest57TestNegatedContent(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } /** * \test A positive test that checks the combined use of content and negated * content, in the presence of distance */ -static int SigTest58TestNegatedContent(void) +static int DetectContentSigTest58TestNegatedContent(void) { - return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; distance:57; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; distance:57; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } /** * \test A negative test that checks the combined use of content and negated * content, in the presence of distance */ -static int SigTest59TestNegatedContent(void) +static int DetectContentSigTest59TestNegatedContent(void) +{ + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; distance:30; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); +} + +static int DetectContentSigTest60TestNegatedContent(void) +{ + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!one; content:fourty; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); +} + +static int DetectContentSigTest61TestNegatedContent(void) +{ + return DetectContentSigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:10; content:!fourty; within:30; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); +} + +static int DetectContentSigTest62TestNegatedContent(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; distance:30; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:10; content:!fourty; within:30; depth:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } -static int SigTest60TestNegatedContent(void) +static int DetectContentSigTest63TestNegatedContent(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!one; content:fourty; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:10; content:!fourty; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } -static int SigTest61TestNegatedContent(void) +static int DetectContentSigTest64TestNegatedContent(void) { - return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:10; content:!fourty; within:30; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:10; content:!fourty; within:30; depth:30; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } -static int SigTest62TestNegatedContent(void) +static int DetectContentSigTest65TestNegatedContent(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:10; content:!fourty; within:30; depth:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:10; content:!fourty; within:30; offset:30; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } -static int SigTest63TestNegatedContent(void) +static int DetectContentSigTest66TestNegatedContent(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:10; content:!fourty; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:10; content:!fourty; within:30; offset:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } -static int SigTest64TestNegatedContent(void) +static int DetectContentSigTest67TestNegatedContent(void) { - return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:10; content:!fourty; within:30; depth:30; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:10; content:!four; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } -static int SigTest65TestNegatedContent(void) +static int DetectContentSigTest68TestNegatedContent(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:10; content:!fourty; within:30; offset:30; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:10; content:nine; offset:8; content:!fourty; within:28; content:fiftysix; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } -static int SigTest66TestNegatedContent(void) +static int DetectContentSigTest69TestNegatedContent(void) { - return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:10; content:!fourty; within:30; offset:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:10; content:nine; offset:8; content:!fourty; within:48; content:fiftysix; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } -static int SigTest67TestNegatedContent(void) +static int DetectContentSigTest70TestNegatedContent(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:10; content:!four; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; within:52; distance:45 sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } -static int SigTest68TestNegatedContent(void) +static int DetectContentSigTest71TestNegatedContent(void) { - return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:10; content:nine; offset:8; content:!fourty; within:28; content:fiftysix; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; within:40; distance:43; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } -static int SigTest69TestNegatedContent(void) +static int DetectContentSigTest72TestNegatedContent(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:10; content:nine; offset:8; content:!fourty; within:48; content:fiftysix; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; within:52; distance:47; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } -static int SigTest70TestNegatedContent(void) +static int DetectContentSigTest73TestNegatedContent(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; within:52; distance:45 sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:5; content:!twentythree; depth:35; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); } -static int SigTest71TestNegatedContent(void) +static int DetectContentSigTest74TestNegatedContent(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; within:40; distance:43; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:!\"PASS\"; sid:1;)", (uint8_t *)"USER apple"); } -static int SigTest72TestNegatedContent(void) +static int DetectContentSigTest75TestNegatedContent(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; content:!fourty; within:52; distance:47; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + return DetectContentSigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:\"!PASS\"; sid:1;)", (uint8_t *)"USER !PASS"); } -static int SigTest73TestNegatedContent(void) +static int DetectContentSigTest76TestDistanceWithin(void) { - return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:one; depth:5; content:!twentythree; depth:35; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix"); + uint8_t *buf = (uint8_t *)"FirstStringPadSecondString"; + uint16_t buflen = strlen((char *)buf); + Packet p; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx; + int result = 0; + + memset(&th_v, 0, sizeof(th_v)); + memset(&p, 0, sizeof(p)); + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = buf; + p.payload_len = buflen; + p.proto = IPPROTO_TCP; + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Test distance within\"; " + "content:FirstString; " + "content:SecondString; within:12; distance:3; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + if (PacketAlertCheck(&p, 1) == 1) + result = 1; + +end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + return result; +} + +static int DetectContentSigNegativeTest77TestDistanceWithin(void) +{ + uint8_t *buf = (uint8_t *)"FirstStringPadSecondString"; + uint16_t buflen = strlen((char *)buf); + Packet p; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx; + int result = 0; + + memset(&th_v, 0, sizeof(th_v)); + memset(&p, 0, sizeof(p)); + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = buf; + p.payload_len = buflen; + p.proto = IPPROTO_TCP; + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Test distance within\"; " + "content:FirstString; " + "content:SecondString; within:12; distance:2; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + if (PacketAlertCheck(&p, 1) == 0) + result = 1; + +end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + return result; } -static int SigTest74TestNegatedContent(void) +static int DetectContentSigTest78TestDistanceWithin(void) { - return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:!\"PASS\"; sid:1;)", (uint8_t *)"USER apple"); + uint8_t *buf = (uint8_t *)"AllWorkAndNoPlayMakesWillADullBoy"; + uint16_t buflen = strlen((char *)buf); + Packet p; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx; + int result = 0; + + memset(&th_v, 0, sizeof(th_v)); + memset(&p, 0, sizeof(p)); + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = buf; + p.payload_len = buflen; + p.proto = IPPROTO_TCP; + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Test distance within\"; " + "content:AllWorkAndNoPlayMakesWill; " + "content:DullBoy; within:7; distance:1; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + if (PacketAlertCheck(&p, 1) == 1) + result = 1; + +end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + return result; } -static int SigTest75TestNegatedContent(void) +static int DetectContentSigTest79TestDistanceWithin(void) { - return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:\"!PASS\"; sid:1;)", (uint8_t *)"USER !PASS"); + uint8_t *buf = (uint8_t *)"AllWorkAndNoPlayMakesWillADullBoy"; + uint16_t buflen = strlen((char *)buf); + Packet p; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx; + int result = 0; + + memset(&th_v, 0, sizeof(th_v)); + memset(&p, 0, sizeof(p)); + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = buf; + p.payload_len = buflen; + p.proto = IPPROTO_TCP; + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Test distance within\"; " + "content:AllWorkAndNoPlayMakesWill; " + "content:DullBoy; distance:1; sid:1;)"); + if (de_ctx->sig_list == NULL) + goto end; + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + if (PacketAlertCheck(&p, 1) == 1) + result = 1; + +end: + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + return result; } #endif /* UNITTESTS */ @@ -3124,41 +3311,85 @@ void DetectContentRegisterTests(void) UtRegisterTest("DetectContentChunkMatchTest11", DetectContentChunkMatchTest11, 1); /* Negated content tests */ - UtRegisterTest("SigTest41TestNegatedContent", SigTest41TestNegatedContent, 1); - UtRegisterTest("SigTest42TestNegatedContent", SigTest42TestNegatedContent, 1); - UtRegisterTest("SigTest43TestNegatedContent", SigTest43TestNegatedContent, 1); - UtRegisterTest("SigTest44TestNegatedContent", SigTest44TestNegatedContent, 1); - UtRegisterTest("SigTest45TestNegatedContent", SigTest45TestNegatedContent, 1); - UtRegisterTest("SigTest46TestNegatedContent", SigTest46TestNegatedContent, 1); - UtRegisterTest("SigTest47TestNegatedContent", SigTest47TestNegatedContent, 1); - UtRegisterTest("SigTest48TestNegatedContent", SigTest48TestNegatedContent, 1); - UtRegisterTest("SigTest49TestNegatedContent", SigTest49TestNegatedContent, 1); - UtRegisterTest("SigTest50TestNegatedContent", SigTest50TestNegatedContent, 1); - UtRegisterTest("SigTest51TestNegatedContent", SigTest51TestNegatedContent, 1); - UtRegisterTest("SigTest52TestNegatedContent", SigTest52TestNegatedContent, 1); - UtRegisterTest("SigTest53TestNegatedContent", SigTest53TestNegatedContent, 1); - UtRegisterTest("SigTest54TestNegatedContent", SigTest54TestNegatedContent, 1); - UtRegisterTest("SigTest55TestNegatedContent", SigTest55TestNegatedContent, 1); - UtRegisterTest("SigTest56TestNegatedContent", SigTest56TestNegatedContent, 1); - UtRegisterTest("SigTest57TestNegatedContent", SigTest57TestNegatedContent, 1); - UtRegisterTest("SigTest58TestNegatedContent", SigTest58TestNegatedContent, 1); - UtRegisterTest("SigTest59TestNegatedContent", SigTest59TestNegatedContent, 1); - UtRegisterTest("SigTest60TestNegatedContent", SigTest60TestNegatedContent, 1); - UtRegisterTest("SigTest61TestNegatedContent", SigTest61TestNegatedContent, 1); - UtRegisterTest("SigTest62TestNegatedContent", SigTest62TestNegatedContent, 1); - UtRegisterTest("SigTest63TestNegatedContent", SigTest63TestNegatedContent, 1); - UtRegisterTest("SigTest64TestNegatedContent", SigTest64TestNegatedContent, 1); - UtRegisterTest("SigTest65TestNegatedContent", SigTest65TestNegatedContent, 1); - UtRegisterTest("SigTest66TestNegatedContent", SigTest66TestNegatedContent, 1); - UtRegisterTest("SigTest67TestNegatedContent", SigTest67TestNegatedContent, 1); - UtRegisterTest("SigTest68TestNegatedContent", SigTest68TestNegatedContent, 1); - UtRegisterTest("SigTest69TestNegatedContent", SigTest69TestNegatedContent, 1); - UtRegisterTest("SigTest70TestNegatedContent", SigTest70TestNegatedContent, 1); - UtRegisterTest("SigTest71TestNegatedContent", SigTest71TestNegatedContent, 1); - UtRegisterTest("SigTest72TestNegatedContent", SigTest72TestNegatedContent, 1); - UtRegisterTest("SigTest73TestNegatedContent", SigTest73TestNegatedContent, 1); - UtRegisterTest("SigTest74TestNegatedContent", SigTest74TestNegatedContent, 1); - UtRegisterTest("SigTest75TestNegatedContent", SigTest75TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest41TestNegatedContent", + DetectContentSigTest41TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest42TestNegatedContent", + DetectContentSigTest42TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest43TestNegatedContent", + DetectContentSigTest43TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest44TestNegatedContent", + DetectContentSigTest44TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest45TestNegatedContent", + DetectContentSigTest45TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest46TestNegatedContent", + DetectContentSigTest46TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest47TestNegatedContent", + DetectContentSigTest47TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest48TestNegatedContent", + DetectContentSigTest48TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest49TestNegatedContent", + DetectContentSigTest49TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest50TestNegatedContent", + DetectContentSigTest50TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest51TestNegatedContent", + DetectContentSigTest51TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest52TestNegatedContent", + DetectContentSigTest52TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest53TestNegatedContent", + DetectContentSigTest53TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest54TestNegatedContent", + DetectContentSigTest54TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest55TestNegatedContent", + DetectContentSigTest55TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest56TestNegatedContent", + DetectContentSigTest56TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest57TestNegatedContent", + DetectContentSigTest57TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest58TestNegatedContent", + DetectContentSigTest58TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest59TestNegatedContent", + DetectContentSigTest59TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest60TestNegatedContent", + DetectContentSigTest60TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest61TestNegatedContent", + DetectContentSigTest61TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest62TestNegatedContent", + DetectContentSigTest62TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest63TestNegatedContent", + DetectContentSigTest63TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest64TestNegatedContent", + DetectContentSigTest64TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest65TestNegatedContent", + DetectContentSigTest65TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest66TestNegatedContent", + DetectContentSigTest66TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest67TestNegatedContent", + DetectContentSigTest67TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest68TestNegatedContent", + DetectContentSigTest68TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest69TestNegatedContent", + DetectContentSigTest69TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest70TestNegatedContent", + DetectContentSigTest70TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest71TestNegatedContent", + DetectContentSigTest71TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest72TestNegatedContent", + DetectContentSigTest72TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest73TestNegatedContent", + DetectContentSigTest73TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest74TestNegatedContent", + DetectContentSigTest74TestNegatedContent, 1); + UtRegisterTest("DetectContentSigTest75TestNegatedContent", + DetectContentSigTest75TestNegatedContent, 1); + + UtRegisterTest("DetectContentSigTest76TestDistanceWithin", + DetectContentSigTest76TestDistanceWithin, 1); + UtRegisterTest("DetectContentSigNegativeTest77TestDistanceWithin", + DetectContentSigNegativeTest77TestDistanceWithin, 1); + UtRegisterTest("DetectContentSigTest78TestDistanceWithin", + DetectContentSigTest78TestDistanceWithin, 1); + UtRegisterTest("DetectContentSigTest79TestDistanceWithin", + DetectContentSigTest79TestDistanceWithin, 1); #endif /* UNITTESTS */ } -- 1.5.5