/**
* \test DetectIsdataatTestPacket02 is a test to check matches of
* isdataat, and isdataat relative works if the previous keyword is pcre
* (bug 144)
*/
int DetectIsdataatTestPacket02 (void) {
int result = 0;
uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
"User-Agent: Wget/1.11.4"
"Accept: */*"
"Host: www.google.com"
"Connection: Keep-Alive"
"Date: Mon, 04 Jan 2010 17:29:39 GMT";
uint16_t buflen = strlen((char *)buf);
Packet *p;
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
if (p == NULL)
goto end;
char sig[] = "alert tcp any any -> any any (msg:\"pcre with"
" isdataat + relative\"; pcre:\"/A(ll|pp)WorkAndNoPlayMakesWillA"
"DullBoy/\"; isdataat:96,relative; sid:1;)";
result = UTHPacketMatchSig(p, sig);
UTHFreePacket(p);
end:
return result;
}
/**
* \test DetectByteJumpTestPacket02 is a test to check matches of
* byte_jump and byte_jump relative works if the previous keyword is byte_jump
* (bug 165)
*/
int DetectByteJumpTestPacket02 (void) {
int result = 0;
uint8_t buf[] = { 0x00, 0x00, 0x00, 0x77, 0xff, 0x53,
0x4d, 0x42, 0x2f, 0x00, 0x00, 0x00, 0x00, 0x18,
0x01, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
0x92, 0xa4, 0x01, 0x08, 0x17, 0x5c, 0x0e, 0xff,
0x00, 0x00, 0x00, 0x01, 0x40, 0x48, 0x00, 0x00,
0x00, 0xff };
uint16_t buflen = sizeof(buf);
Packet *p;
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
if (p == NULL)
goto end;
char sig[] = "alert tcp any any -> any any (msg:\"byte_jump with byte_jump"
" + relative\"; byte_jump:1,13; byte_jump:4,0,relative; "
"content:\"|48 00 00|\"; within:3; sid:144; rev:1;)";
result = UTHPacketMatchSig(p, sig);
UTHFreePacket(p);
end:
return result;
}
static int PayloadTestSig21(void)
{
uint8_t buf[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36, /* the last byte is 2 */
0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
0x0E, 0x0F,
};
uint16_t buflen = sizeof(buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"|01 02 03 04|\"; "
"byte_extract:1,2,one,string,dec,relative; "
"content:\"|03 04 05 06|\"; depth:one; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/*
* \test Test negative byte extract.
*/
static int PayloadTestSig26(void)
{
uint8_t buf[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
0x0E, 0x0F,
};
uint16_t buflen = sizeof(buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"|35 07 08 09|\"; "
"byte_extract:1,-3000,one,string,dec,relative; "
"content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_AC) != 0) {
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/**
* \test DetectByteJumpTestPacket01 is a test to check matches of
* byte_jump and byte_jump relative works if the previous keyword is pcre
* (bug 142)
*/
int DetectByteJumpTestPacket01 (void) {
int result = 0;
uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
"User-Agent: Wget/1.11.4"
"Accept: */*"
"Host: www.google.com"
"Connection: Keep-Alive"
"Date: Mon, 04 Jan 2010 17:29:39 GMT";
uint16_t buflen = strlen((char *)buf);
Packet *p;
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
if (p == NULL)
goto end;
char sig[] = "alert tcp any any -> any any (msg:\"pcre + byte_test + "
"relative\"; pcre:\"/AllWorkAndNoPlayMakesWillADullBoy/\"; byte_jump:1,6,"
"relative,string,dec; content:\"0\"; sid:134; rev:1;)";
result = UTHPacketMatchSig(p, sig);
UTHFreePacket(p);
end:
return result;
}
/**
* \test DetectIsdataatTestPacket03 is a test to check matches of
* isdataat, and isdataat relative works if the previous keyword is byte_jump
* (bug 146)
*/
int DetectIsdataatTestPacket03 (void) {
int result = 0;
uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
"User-Agent: Wget/1.11.4"
"Accept: */*"
"Host: www.google.com"
"Connection: Keep-Alive"
"Date: Mon, 04 Jan 2010 17:29:39 GMT";
uint16_t buflen = strlen((char *)buf);
Packet *p;
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
if (p == NULL)
goto end;
char sig[] = "alert tcp any any -> any any (msg:\"byte_jump match = 0 "
"with distance content HTTP/1. relative against HTTP/1.0\"; byte_jump:1,"
"46,string,dec; isdataat:87,relative; sid:109; rev:1;)";
result = UTHPacketMatchSig(p, sig);
UTHFreePacket(p);
end:
return result;
}
static int DetectBase64DecodeTestDecodeRelative(void)
{
ThreadVars tv;
DetectEngineCtx *de_ctx = NULL;
DetectEngineThreadCtx *det_ctx = NULL;
Packet *p = NULL;
int retval = 0;
uint8_t payload[] = {
'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
};
char decoded[] = "Hello World";
memset(&tv, 0, sizeof(tv));
if ((de_ctx = DetectEngineCtxInit()) == NULL) {
goto end;
}
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"base64 test\"; "
"content:\"aaaaaaaa\"; "
"base64_decode: relative; "
"sid:1; rev:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
if (p == NULL) {
goto end;
}
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
if (det_ctx->base64_decoded_len != (int)strlen(decoded)) {
goto end;
}
if (memcmp(det_ctx->base64_decoded, decoded, strlen(decoded))) {
goto end;
}
retval = 1;
end:
if (det_ctx != NULL) {
DetectEngineThreadCtxDeinit(&tv, det_ctx);
}
if (de_ctx != NULL) {
SigCleanSignatures(de_ctx);
SigGroupCleanup(de_ctx);
DetectEngineCtxFree(de_ctx);
}
if (p != NULL) {
UTHFreePacket(p);
}
return retval;
}
uint32_t UTHBuildPacketOfFlows(uint32_t start, uint32_t end, uint8_t dir)
{
uint32_t i = start;
uint8_t payload[] = "Payload";
for (; i < end; i++) {
Packet *p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
if (dir == 0) {
p->src.addr_data32[0] = i;
p->dst.addr_data32[0] = i + 1;
} else {
p->src.addr_data32[0] = i + 1;
p->dst.addr_data32[0] = i;
}
FlowHandlePacket(NULL, NULL, p);
if (p->flow != NULL) {
SC_ATOMIC_RESET(p->flow->use_cnt);
FLOWLOCK_UNLOCK(p->flow);
}
/* Now the queues shoul be updated */
UTHFreePacket(p);
}
return i;
}
/**
* \test DetectWithinTestPacket01 is a test to check matches of
* within, if the previous keyword is pcre (bug 145)
*/
int DetectWithinTestPacket01 (void) {
int result = 0;
uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
"User-Agent: Wget/1.11.4"
"Accept: */*"
"Host: www.google.com"
"Connection: Keep-Alive"
"Date: Mon, 04 Jan 2010 17:29:39 GMT";
uint16_t buflen = strlen((char *)buf);
Packet *p;
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
if (p == NULL)
goto end;
char sig[] = "alert tcp any any -> any any (msg:\"pcre with within "
"modifier\"; pcre:\"/AllWorkAndNoPlayMakesWillADullBoy/\";"
" content:\"HTTP\"; within:5; sid:49; rev:1;)";
result = UTHPacketMatchSig(p, sig);
UTHFreePacket(p);
end:
return result;
}
int DetectByteJumpTestPacket03(void)
{
int result = 0;
uint8_t *buf = NULL;
uint16_t buflen = 0;
buf = SCMalloc(4);
if (unlikely(buf == NULL)) {
printf("malloc failed\n");
exit(EXIT_FAILURE);
}
memcpy(buf, "boom", 4);
buflen = 4;
Packet *p;
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
if (p == NULL)
goto end;
char sig[] = "alert tcp any any -> any any (msg:\"byte_jump\"; "
"byte_jump:1,214748364; sid:1; rev:1;)";
result = !UTHPacketMatchSig(p, sig);
UTHFreePacket(p);
end:
if (buf != NULL)
SCFree(buf);
return result;
}
/** \test full overlap */
static int StreamTcpInlineTest01(void) {
SCEnter();
uint8_t payload1[] = "AAC"; /* packet */
uint8_t payload2[] = "ABC"; /* segment */
int result = 0;
TcpSegment *t = NULL;
Packet *p = UTHBuildPacketSrcDstPorts(payload1, sizeof(payload1)-1, IPPROTO_TCP, 1024, 80);
if (p == NULL || p->tcph == NULL) {
printf("generating test packet failed: ");
goto end;
}
p->tcph->th_seq = htonl(10000000UL);
t = SCMalloc(sizeof(TcpSegment));
if (t == NULL) {
printf("alloc TcpSegment failed: ");
goto end;
}
memset(t, 0x00, sizeof(TcpSegment));
t->payload = payload2;
t->payload_len = sizeof(payload2)-1;
t->seq = 10000000UL;
StreamTcpInlineSegmentReplacePacket(p, t);
if (!(p->flags & PKT_STREAM_MODIFIED)) {
printf("PKT_STREAM_MODIFIED pkt flag not set: ");
goto end;
}
if (memcmp(p->payload, t->payload, p->payload_len) != 0) {
printf("Packet:\n");
PrintRawDataFp(stdout,p->payload,p->payload_len);
printf("Segment:\n");
PrintRawDataFp(stdout,t->payload,t->payload_len);
printf("payloads didn't match: ");
goto end;
}
uint8_t *pkt = GET_PKT_DATA(p)+(GET_PKT_LEN(p)-sizeof(payload1)+1);
if (memcmp(pkt,payload2,sizeof(payload2)-1) != 0) {
PrintRawDataFp(stdout,pkt,3);
PrintRawDataFp(stdout,GET_PKT_DATA(p),GET_PKT_LEN(p));
goto end;
}
result = 1;
end:
if (p != NULL) {
UTHFreePacket(p);
}
if (t != NULL) {
SCFree(t);
}
SCReturnInt(result);
}
/**
* \brief UTHFreePackets: function to release the allocated data
* from UTHBuildPacket and the packet itself
*
* \param p pointer to the Packet
*/
void UTHFreePackets(Packet **p, int numpkts)
{
if (p == NULL)
return;
int i = 0;
for (; i < numpkts; i++) {
UTHFreePacket(p[i]);
}
}
static int DetectBase64DecodeTestDecodeLargeOffset(void)
{
ThreadVars tv;
DetectEngineCtx *de_ctx = NULL;
DetectEngineThreadCtx *det_ctx = NULL;
Packet *p = NULL;
int retval = 0;
uint8_t payload[] = {
'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
};
memset(&tv, 0, sizeof(tv));
if ((de_ctx = DetectEngineCtxInit()) == NULL) {
goto end;
}
/* Offset is out of range. */
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"base64 test\"; "
"base64_decode: bytes 16, offset 32; "
"sid:1; rev:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
if (p == NULL) {
goto end;
}
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
if (det_ctx->base64_decoded_len != 0) {
goto end;
}
retval = 1;
end:
if (det_ctx != NULL) {
DetectEngineThreadCtxDeinit(&tv, det_ctx);
}
if (de_ctx != NULL) {
SigCleanSignatures(de_ctx);
SigGroupCleanup(de_ctx);
DetectEngineCtxFree(de_ctx);
}
if (p != NULL) {
UTHFreePacket(p);
}
return retval;
}
/**
* \brief UTHBuildPacketTest02 wrapper to check packets for unittests
*/
int UTHBuildPacketTest02(void)
{
uint8_t payload[] = "Payload";
Packet *p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_UDP);
int ret = CheckUTHTestPacket(p, IPPROTO_UDP);
UTHFreePacket(p);
return ret;
}
/**
* \brief UTHBuildPacketRealTest02 wrapper to check packets for unittests
*/
int UTHBuildPacketRealTest02(void)
{
uint8_t payload[] = "Payload";
Packet *p = UTHBuildPacketReal(payload, sizeof(payload), IPPROTO_UDP,
"192.168.1.5", "192.168.1.1", 41424, 80);
int ret = CheckUTHTestPacket(p, IPPROTO_UDP);
UTHFreePacket(p);
return ret;
}
/**
* \brief UTHBuildPacketSrcDstTest01 wrapper to check packets for unittests
*/
int UTHBuildPacketSrcDstTest01(void)
{
uint8_t payload[] = "Payload";
Packet *p = UTHBuildPacketSrcDst(payload, sizeof(payload), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1");
int ret = CheckUTHTestPacket(p, IPPROTO_TCP);
UTHFreePacket(p);
return ret;
}
/**
* \brief UTHBuildPacketSrcDstPortsTest01 wrapper to check packets for unittests
*/
int UTHBuildPacketSrcDstPortsTest01(void)
{
uint8_t payload[] = "Payload";
Packet *p = UTHBuildPacketSrcDstPorts(payload, sizeof(payload), IPPROTO_TCP,
41424, 80);
int ret = CheckUTHTestPacket(p, IPPROTO_TCP);
UTHFreePacket(p);
return ret;
}
static int PayloadLenFieldTest2() {
uint8_t payload[4096];
uint16_t len = sizeof(payload);
memcpy(payload + 2, &len, 4);
Packet *p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
int res = UTHPacketMatchSig(p, "alert tcp any any -> any any (msg:\"dummy\"; payloadlenfield:offset:2 len:4; sid:1;)");
UTHFreePacket(p);
return res;
}
static int PayloadLenFieldTest1() {
uint8_t payload[] = {
1,2,3,4,5,6,7,8,9,10
};
uint8_t len = sizeof(payload);
payload[2] = len;
Packet *p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
int res = UTHPacketMatchSig(p, "alert tcp any any -> any any (msg:\"dummy\"; payloadlenfield:offset:2 len:1; sid:1;)");
UTHFreePacket(p);
return res;
}
static int DetectFlowSigTest01(void)
{
ThreadVars th_v;
DecodeThreadVars dtv;
DetectEngineCtx *de_ctx = NULL;
DetectEngineThreadCtx *det_ctx = NULL;
uint8_t *buf = (uint8_t *)"supernovaduper";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
FAIL_IF_NULL(p);
char *sig1 = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"nova\"; flow:no_stream; sid:1;)";
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&th_v, 0, sizeof(th_v));
de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, sig1);
FAIL_IF_NULL(de_ctx->sig_list);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(PacketAlertCheck(p, 1) != 1);
if (det_ctx != NULL)
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
if (de_ctx != NULL) {
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
}
if (p != NULL)
UTHFreePacket(p);
PASS;
}
/**
* \test check matches of with from_beginning (bug 626/627)
*/
int DetectByteJumpTestPacket07 (void) {
int result = 0;
uint8_t *buf = (uint8_t *)"XX04abcdABCD";
uint16_t buflen = strlen((char *)buf);
Packet *p;
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
if (p == NULL)
goto end;
char sig[] = "alert tcp any any -> any any (content:\"XX\"; byte_jump:2,0,relative,string,dec,from_beginning; content:\"abcdABCD\"; distance:0; within:8; sid:1; rev:1;)";
result = UTHPacketMatchSig(p, sig) ? 1 : 0;
UTHFreePacket(p);
end:
return result;
}
static int PayloadLenFieldTest3() {
uint8_t payload[256];
for (int i = 0; i < 256; ++i) {
payload[i] = i;
}
uint16_t len = sizeof(payload);
memcpy(payload + 1, &len, 2);
Packet *p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
int res = UTHPacketMatchSig(p, "alert tcp any any -> any any (msg:\"dummy\"; payloadlenfield:offset:1 len:2; sid:1;)");
UTHFreePacket(p);
return res;
}
int DetectWithinTestPacket02 (void) {
int result = 0;
uint8_t *buf = (uint8_t *)"Zero Five Ten Fourteen";
uint16_t buflen = strlen((char *)buf);
Packet *p;
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
if (p == NULL)
goto end;
char sig[] = "alert tcp any any -> any any (msg:\"pcre with within "
"modifier\"; content:\"Five\"; content:\"Ten\"; within:3; distance:1; sid:1;)";
result = UTHPacketMatchSig(p, sig);
UTHFreePacket(p);
end:
return result;
}
/**
* \test Test byte_jump.
*/
static int PayloadTestSig32(void)
{
uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
"content:\"message\"; byte_jump:2,-14,string,dec,relative; content:\"card\"; within:4; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0)
goto end;
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/** \test Negative distance matching */
static int PayloadTestSig03 (void) {
uint8_t *buf = (uint8_t *)
"abcaBcd";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/**
* \test Test byte_extract.
*/
static int PayloadTestSig34(void)
{
uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
"content:\"message\"; byte_extract:1,-14,boom,string,dec,relative; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0)
goto end;
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
static int PayloadTestSig31(void)
{
uint8_t *buf = (uint8_t *)
"xyonexxxxxxtwojunkonetwo";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (content:\"one\"; pcre:\"/(fiv|^two)/R\"; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/**
* \test Test multiple relative matches with negative matches
* and show the need for det_ctx->discontinue_matching.
*/
static int PayloadTestSig08(void)
{
uint8_t *buf = (uint8_t *)"we need to fix this and yes fix this now";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) != 1) {
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
int StreamTcpUTAddSegmentWithByte(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpStream *stream, uint32_t seq, uint8_t byte, uint16_t len) {
TcpSegment *s = StreamTcpGetSegment(tv, ra_ctx, len);
if (s == NULL) {
return -1;
}
s->seq = seq;
s->payload_len = len;
memset(s->payload, byte, len);
Packet *p = UTHBuildPacketReal(s->payload, s->payload_len, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
if (p == NULL) {
return -1;
}
p->tcph->th_seq = htonl(seq);
if (StreamTcpReassembleInsertSegment(tv, ra_ctx, stream, s, p) < 0)
return -1;
UTHFreePacket(p);
return 0;
}
/**
* \test normal & negated matching, both absolute and relative
*/
static int PayloadTestSig14(void)
{
uint8_t *buf = (uint8_t *)"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
//char sig[] = "alert tcp any any -> any any (content:\"User-Agent: Mozilla/5.0 (Macintosh; \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 1) {
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}