/*
* \test Test negative byte extract.
*/
static int PayloadTestSig26(void)
{
uint8_t buf[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
0x0E, 0x0F,
};
uint16_t buflen = sizeof(buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"|35 07 08 09|\"; "
"byte_extract:1,-3000,one,string,dec,relative; "
"content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) != 0) {
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
static int PayloadTestSig23(void)
{
uint8_t buf[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32, /* the last byte is 2 */
0x07, 0x08, 0x09, 0x33, 0x0B, 0x0C, 0x0D,
0x32, 0x0F,
};
uint16_t buflen = sizeof(buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"|01 02 03 04|\"; "
"byte_extract:1,2,one,string,dec,relative; "
"byte_extract:1,3,two,string,dec,relative; "
"byte_test:1,=,one,two,string,dec,relative; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/**
* \test Test byte_extract.
*/
static int PayloadTestSig34(void)
{
uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
"content:\"message\"; byte_extract:1,-14,boom,string,dec,relative; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0)
goto end;
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/** \test Negative distance matching */
static int PayloadTestSig03 (void) {
uint8_t *buf = (uint8_t *)
"abcaBcd";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/**
* \test Test byte_jump.
*/
static int PayloadTestSig32(void)
{
uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
"content:\"message\"; byte_jump:2,-14,string,dec,relative; content:\"card\"; within:4; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0)
goto end;
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/**
* \test Test multiple relative matches with negative matches
* and show the need for det_ctx->discontinue_matching.
*/
static int PayloadTestSig08(void)
{
uint8_t *buf = (uint8_t *)"we need to fix this and yes fix this now";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) != 1) {
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
static int PayloadTestSig31(void)
{
uint8_t *buf = (uint8_t *)
"xyonexxxxxxtwojunkonetwo";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (content:\"one\"; pcre:\"/(fiv|^two)/R\"; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/**
* \test normal & negated matching, both absolute and relative
*/
static int PayloadTestSig14(void)
{
uint8_t *buf = (uint8_t *)"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
//char sig[] = "alert tcp any any -> any any (content:\"User-Agent: Mozilla/5.0 (Macintosh; \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 1) {
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/**
* \test Test invalid sig.
*/
static int PayloadTestSig12(void)
{
uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
"isdataat:10,relative; sid:11;)";
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 1) {
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/**
* \test Test pcre recursive matching.
*/
static int PayloadTestSig09(void)
{
uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"pcre:/super/; content:\"nova\"; within:7; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/**
* \test Test multiple relative matches.
*/
static int PayloadTestSig07(void)
{
uint8_t *buf = (uint8_t *)" thus thus is a big";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/**
* \test Test multiple relative matches.
*/
static int PayloadTestSig06(void)
{
uint8_t *buf = (uint8_t *)"this this now is is big string now";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"now\"; content:\"this\"; content:\"is\"; within:12; content:\"big\"; within:8; "
"content:\"string\"; within:8; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/*
* \test Test packet/stream sigs
*/
static int PayloadTestSig28(void)
{
uint8_t buf[] = "dummypayload";
uint16_t buflen = sizeof(buf) - 1;
int result = 0;
Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
char sig[] = "alert tcp any any -> any any (content:\"payload\"; "
"offset:4; depth:12; sid:1;)";
p->flags |= PKT_STREAM_ADD;
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) != 1)
goto end;
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
static int PayloadTestSig16(void)
{
uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"nova\"; isdataat:!20,relative; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
static int PayloadTestSig17(void)
{
uint8_t buf[] = { 0xEB, 0x29, 0x25, 0x38, 0x78, 0x25, 0x38, 0x78, 0x25 };
uint16_t buflen = 9;
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"%\"; depth:4; offset:0; "
"content:\"%\"; within:2; distance:1; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
