Suricata

This is a feature request for something done in Snort and it essentially forces pattern match from the beginning of a stream, not it's "body".

As for unit testing this rule, from Victor:

check for example DetectHttpServerBodyTest01. It parses a
sig and checks the internal state of the Signature structure. In such a
test you can for example test 'file_data; content:"http"; pkt_data;
content:"packet";'

This should result in 2 sigmatches, one in the http server body list,
the other in the pattern list.

Getting closer. I have a pkt-data.c in place and compiling but I need to get a handle on the sig (out of the engine) so I can check that the flag is set properly. Any tips on that?

What are you trying to do? Can you show some code?

Hey Victor, why do you think the engine is not loading the rule in to sig_lists? Do I need to do something else after calling SigInit?

Take a look at the most recent branch diff. It shows a fully-registered unit test. https://github.com/xrl/suricata/compare/keyword-pkt_data

I run the unit test with this command: "./src/suricata -u -U PktData"

Right, SigInit doesn't do that. Other tests use it like this:

    de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:39; sid:1;)");
    if (de_ctx->sig_list == NULL) {