/src/suricata7/src/detect-engine-sigorder.c
Line | Count | Source |
1 | | /* Copyright (C) 2007-2013 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | /** |
19 | | * \file |
20 | | * |
21 | | * \author Anoop Saldanha <anoopsaldanha@gmail.com> |
22 | | * |
23 | | * Signature ordering part of the detection engine. |
24 | | */ |
25 | | |
26 | | #include "suricata-common.h" |
27 | | #include "detect.h" |
28 | | #include "detect-xbits.h" |
29 | | #include "detect-flowbits.h" |
30 | | #include "detect-flowint.h" |
31 | | #include "detect-parse.h" |
32 | | #include "detect-engine-sigorder.h" |
33 | | #include "detect-pcre.h" |
34 | | #include "detect-engine-build.h" |
35 | | |
36 | | #include "util-unittest.h" |
37 | | #include "util-unittest-helper.h" |
38 | | #include "util-debug.h" |
39 | | #include "util-action.h" |
40 | | #include "action-globals.h" |
41 | | #include "flow-util.h" |
42 | | #include "util-validate.h" |
43 | | |
44 | 174k | #define DETECT_FLOWVAR_NOT_USED 1 |
45 | 327 | #define DETECT_FLOWVAR_TYPE_READ 2 |
46 | 0 | #define DETECT_FLOWVAR_TYPE_SET_READ 3 |
47 | 249 | #define DETECT_FLOWVAR_TYPE_SET 4 |
48 | | |
49 | 174k | #define DETECT_PKTVAR_NOT_USED 1 |
50 | 163 | #define DETECT_PKTVAR_TYPE_READ 2 |
51 | 18 | #define DETECT_PKTVAR_TYPE_SET_READ 3 |
52 | 243 | #define DETECT_PKTVAR_TYPE_SET 4 |
53 | | |
54 | 174k | #define DETECT_FLOWBITS_NOT_USED 1 |
55 | 3.11k | #define DETECT_FLOWBITS_TYPE_READ 2 |
56 | 509 | #define DETECT_FLOWBITS_TYPE_SET_READ 3 |
57 | 3.39k | #define DETECT_FLOWBITS_TYPE_SET 4 |
58 | | |
59 | 174k | #define DETECT_FLOWINT_NOT_USED 1 |
60 | 396 | #define DETECT_FLOWINT_TYPE_READ 2 |
61 | 5 | #define DETECT_FLOWINT_TYPE_SET_READ 3 |
62 | 7.91k | #define DETECT_FLOWINT_TYPE_SET 4 |
63 | | |
64 | 348k | #define DETECT_XBITS_NOT_USED 1 |
65 | 134 | #define DETECT_XBITS_TYPE_READ 2 |
66 | 0 | #define DETECT_XBITS_TYPE_SET_READ 3 |
67 | 78 | #define DETECT_XBITS_TYPE_SET 4 |
68 | | |
69 | | |
70 | | /** |
71 | | * \brief Registers a keyword-based, signature ordering function |
72 | | * |
73 | | * \param de_ctx Pointer to the detection engine context from which the |
74 | | * signatures have to be ordered. |
75 | | * \param FuncPtr Pointer to the signature ordering function. The prototype of |
76 | | * the signature ordering function should accept a pointer to a |
77 | | * SCSigSignatureWrapper as its argument and shouldn't return |
78 | | * anything |
79 | | */ |
80 | | static void SCSigRegisterSignatureOrderingFunc(DetectEngineCtx *de_ctx, |
81 | | int (*SWCompare)(SCSigSignatureWrapper *sw1, SCSigSignatureWrapper *sw2)) |
82 | 485k | { |
83 | 485k | SCSigOrderFunc *curr = NULL; |
84 | 485k | SCSigOrderFunc *prev = NULL; |
85 | 485k | SCSigOrderFunc *temp = NULL; |
86 | | |
87 | 485k | curr = de_ctx->sc_sig_order_funcs; |
88 | | |
89 | | /* Walk to the end of the list, and leave prev pointing at the |
90 | | last element. */ |
91 | 485k | prev = curr; |
92 | 2.18M | while (curr != NULL) { |
93 | 1.69M | if (curr->SWCompare == SWCompare) { |
94 | | /* Already specified this compare */ |
95 | 0 | return; |
96 | 0 | } |
97 | 1.69M | prev = curr; |
98 | 1.69M | curr = curr->next; |
99 | 1.69M | } |
100 | | |
101 | 485k | if ( (temp = SCMalloc(sizeof(SCSigOrderFunc))) == NULL) { |
102 | 0 | FatalError("Fatal error encountered in SCSigRegisterSignatureOrderingFunc. Exiting..."); |
103 | 0 | } |
104 | 485k | memset(temp, 0, sizeof(SCSigOrderFunc)); |
105 | | |
106 | 485k | temp->SWCompare = SWCompare; |
107 | | |
108 | | /* Append the new compare function at the end of the list. */ |
109 | 485k | if (prev == NULL) |
110 | 60.6k | de_ctx->sc_sig_order_funcs = temp; |
111 | 424k | else |
112 | 424k | prev->next = temp; |
113 | | |
114 | 485k | return; |
115 | 485k | } |
116 | | |
117 | | /** |
118 | | * \brief Returns the flowbit type set for this signature. If more than one |
119 | | * flowbit has been set for the same rule, we return the flowbit type of |
120 | | * the maximum priority/value, where priority/value is maximum for the |
121 | | * ones that set the value and the lowest for ones that read the value. |
122 | | * If no flowbit has been set for the rule, we return 0, which indicates |
123 | | * the least value amongst flowbit types. |
124 | | * |
125 | | * \param sig Pointer to the Signature from which the flowbit value has to be |
126 | | * returned. |
127 | | * |
128 | | * \retval flowbits The flowbits type for this signature if it is set; if it is |
129 | | * not set, return 0 |
130 | | */ |
131 | | static inline int SCSigGetFlowbitsType(Signature *sig) |
132 | 174k | { |
133 | 174k | DetectFlowbitsData *fb = NULL; |
134 | 174k | int flowbits_user_type = DETECT_FLOWBITS_NOT_USED; |
135 | 174k | int read = 0; |
136 | 174k | int write = 0; |
137 | 174k | SigMatch *sm = sig->init_data->smlists[DETECT_SM_LIST_MATCH]; |
138 | | |
139 | 249k | while (sm != NULL) { |
140 | 75.0k | if (sm->type == DETECT_FLOWBITS) { |
141 | 5.04k | fb = (DetectFlowbitsData *)sm->ctx; |
142 | 5.04k | if (fb->cmd == DETECT_FLOWBITS_CMD_ISNOTSET || |
143 | 5.04k | fb->cmd == DETECT_FLOWBITS_CMD_ISSET) { |
144 | 5.04k | read++; |
145 | 5.04k | } else { |
146 | | #ifdef DEBUG |
147 | | BUG_ON(1); |
148 | | #endif |
149 | 0 | } |
150 | 5.04k | } |
151 | | |
152 | 75.0k | sm = sm->next; |
153 | 75.0k | } |
154 | | |
155 | 174k | sm = sig->init_data->smlists[DETECT_SM_LIST_POSTMATCH]; |
156 | 201k | while (sm != NULL) { |
157 | 26.9k | if (sm->type == DETECT_FLOWBITS) { |
158 | 7.26k | fb = (DetectFlowbitsData *)sm->ctx; |
159 | 7.26k | if (fb->cmd == DETECT_FLOWBITS_CMD_SET || |
160 | 1.26k | fb->cmd == DETECT_FLOWBITS_CMD_UNSET || |
161 | 7.26k | fb->cmd == DETECT_FLOWBITS_CMD_TOGGLE) { |
162 | 7.26k | write++; |
163 | 7.26k | } else { |
164 | | #ifdef DEBUG |
165 | | BUG_ON(1); |
166 | | #endif |
167 | 0 | } |
168 | 7.26k | } |
169 | | |
170 | 26.9k | sm = sm->next; |
171 | 26.9k | } |
172 | | |
173 | 174k | if (read > 0 && write == 0) { |
174 | 3.11k | flowbits_user_type = DETECT_FLOWBITS_TYPE_READ; |
175 | 171k | } else if (read == 0 && write > 0) { |
176 | 3.39k | flowbits_user_type = DETECT_FLOWBITS_TYPE_SET; |
177 | 167k | } else if (read > 0 && write > 0) { |
178 | 509 | flowbits_user_type = DETECT_FLOWBITS_TYPE_SET_READ; |
179 | 509 | } |
180 | | |
181 | 174k | SCLogDebug("Sig %s typeval %d", sig->msg, flowbits_user_type); |
182 | | |
183 | 174k | return flowbits_user_type; |
184 | 174k | } |
185 | | |
186 | | static inline int SCSigGetFlowintType(Signature *sig) |
187 | 174k | { |
188 | 174k | DetectFlowintData *fi = NULL; |
189 | 174k | int flowint_user_type = DETECT_FLOWINT_NOT_USED; |
190 | 174k | int read = 0; |
191 | 174k | int write = 0; |
192 | 174k | SigMatch *sm = sig->init_data->smlists[DETECT_SM_LIST_MATCH]; |
193 | | |
194 | 249k | while (sm != NULL) { |
195 | 75.0k | if (sm->type == DETECT_FLOWINT) { |
196 | 2.15k | fi = (DetectFlowintData *)sm->ctx; |
197 | 2.15k | if (fi->modifier == FLOWINT_MODIFIER_LT || fi->modifier == FLOWINT_MODIFIER_LE || |
198 | 1.93k | fi->modifier == FLOWINT_MODIFIER_EQ || fi->modifier == FLOWINT_MODIFIER_NE || |
199 | 1.19k | fi->modifier == FLOWINT_MODIFIER_GE || fi->modifier == FLOWINT_MODIFIER_GT || |
200 | 3 | fi->modifier == FLOWINT_MODIFIER_ISNOTSET || |
201 | 2.15k | fi->modifier == FLOWINT_MODIFIER_ISSET) { |
202 | 2.15k | read++; |
203 | 2.15k | } else { |
204 | | #ifdef DEBUG |
205 | | BUG_ON(1); |
206 | | #endif |
207 | 0 | } |
208 | 2.15k | } |
209 | | |
210 | 75.0k | sm = sm->next; |
211 | 75.0k | } |
212 | | |
213 | 174k | sm = sig->init_data->smlists[DETECT_SM_LIST_POSTMATCH]; |
214 | 201k | while (sm != NULL) { |
215 | 26.9k | if (sm->type == DETECT_FLOWINT) { |
216 | 8.04k | fi = (DetectFlowintData *)sm->ctx; |
217 | 8.04k | if (fi->modifier == FLOWINT_MODIFIER_SET || |
218 | 7.98k | fi->modifier == FLOWINT_MODIFIER_ADD || |
219 | 8.04k | fi->modifier == FLOWINT_MODIFIER_SUB) { |
220 | 8.04k | write++; |
221 | 8.04k | } else { |
222 | | #ifdef DEBUG |
223 | | BUG_ON(1); |
224 | | #endif |
225 | 0 | } |
226 | 8.04k | } |
227 | | |
228 | 26.9k | sm = sm->next; |
229 | 26.9k | } |
230 | | |
231 | 174k | if (read > 0 && write == 0) { |
232 | 396 | flowint_user_type = DETECT_FLOWINT_TYPE_READ; |
233 | 173k | } else if (read == 0 && write > 0) { |
234 | 7.91k | flowint_user_type = DETECT_FLOWINT_TYPE_SET; |
235 | 165k | } else if (read > 0 && write > 0) { |
236 | 5 | flowint_user_type = DETECT_FLOWINT_TYPE_SET_READ; |
237 | 5 | } |
238 | | |
239 | 174k | SCLogDebug("Sig %s typeval %d", sig->msg, flowint_user_type); |
240 | | |
241 | 174k | return flowint_user_type; |
242 | 174k | } |
243 | | |
244 | | /** |
245 | | * \brief Returns whether the flowvar set for this rule, sets the flowvar or |
246 | | * reads the flowvar. If the rule sets the flowvar the function returns |
247 | | * DETECT_FLOWVAR_TYPE_SET(3), if it reads the flowvar the function |
248 | | * returns DETECT_FLOWVAR_TYPE_READ(2), and if flowvar is not used in this |
249 | | * rule the function returns DETECT_FLOWVAR_NOT_USED(1) |
250 | | * |
251 | | * \param sig Pointer to the Signature from which the flowvar type has to be |
252 | | * returned. |
253 | | * |
254 | | * \retval type DETECT_FLOWVAR_TYPE_SET(3) if the rule sets the flowvar, |
255 | | * DETECT_FLOWVAR_TYPE_READ(2) if it reads, and |
256 | | * DETECT_FLOWVAR_NOT_USED(1) if flowvar is not used. |
257 | | */ |
258 | | static inline int SCSigGetFlowvarType(Signature *sig) |
259 | 174k | { |
260 | 174k | DetectPcreData *pd = NULL; |
261 | 174k | int type = DETECT_FLOWVAR_NOT_USED; |
262 | 174k | int read = 0; |
263 | 174k | int write = 0; |
264 | 174k | SigMatch *sm = sig->init_data->smlists[DETECT_SM_LIST_PMATCH]; |
265 | | |
266 | 277k | while (sm != NULL) { |
267 | 103k | pd = (DetectPcreData *)sm->ctx; |
268 | 103k | if (sm->type == DETECT_PCRE) { |
269 | 46.0k | uint8_t x; |
270 | 46.4k | for (x = 0; x < pd->idx; x++) { |
271 | 1.01k | if (pd->captypes[x] == VAR_TYPE_FLOW_VAR) { |
272 | 581 | write++; |
273 | 581 | break; |
274 | 581 | } |
275 | 1.01k | } |
276 | 46.0k | } |
277 | | |
278 | 103k | sm = sm->next; |
279 | 103k | } |
280 | | |
281 | 174k | sm = sig->init_data->smlists[DETECT_SM_LIST_MATCH]; |
282 | 174k | pd = NULL; |
283 | 249k | while (sm != NULL) { |
284 | 75.0k | if (sm->type == DETECT_FLOWVAR) { |
285 | 506 | read++; |
286 | 506 | } |
287 | | |
288 | 75.0k | sm = sm->next; |
289 | 75.0k | } |
290 | | |
291 | 174k | if (read > 0 && write == 0) { |
292 | 327 | type = DETECT_FLOWVAR_TYPE_READ; |
293 | 173k | } else if (read == 0 && write > 0) { |
294 | 249 | type = DETECT_FLOWVAR_TYPE_SET; |
295 | 173k | } else if (read > 0 && write > 0) { |
296 | 0 | type = DETECT_FLOWVAR_TYPE_SET_READ; |
297 | 0 | } |
298 | | |
299 | 174k | return type; |
300 | 174k | } |
301 | | |
302 | | /** |
303 | | * \brief Returns whether the pktvar set for this rule, sets the flowvar or |
304 | | * reads the pktvar. If the rule sets the pktvar the function returns |
305 | | * DETECT_PKTVAR_TYPE_SET(3), if it reads the pktvar the function |
306 | | * returns DETECT_PKTVAR_TYPE_READ(2), and if pktvar is not used in this |
307 | | * rule the function returns DETECT_PKTVAR_NOT_USED(1) |
308 | | * |
309 | | * \param sig Pointer to the Signature from which the pktvar type has to be |
310 | | * returned. |
311 | | * |
312 | | * \retval type DETECT_PKTVAR_TYPE_SET(3) if the rule sets the flowvar, |
313 | | * DETECT_PKTVAR_TYPE_READ(2) if it reads, and |
314 | | * DETECT_PKTVAR_NOT_USED(1) if pktvar is not used. |
315 | | */ |
316 | | static inline int SCSigGetPktvarType(Signature *sig) |
317 | 174k | { |
318 | 174k | DetectPcreData *pd = NULL; |
319 | 174k | int type = DETECT_PKTVAR_NOT_USED; |
320 | 174k | int read = 0; |
321 | 174k | int write = 0; |
322 | 174k | SigMatch *sm = sig->init_data->smlists[DETECT_SM_LIST_PMATCH]; |
323 | | |
324 | 277k | while (sm != NULL) { |
325 | 103k | pd = (DetectPcreData *)sm->ctx; |
326 | 103k | if (sm->type == DETECT_PCRE) { |
327 | 46.0k | uint8_t x; |
328 | 46.9k | for (x = 0; x < pd->idx; x++) { |
329 | 1.45k | if (pd->captypes[x] == VAR_TYPE_PKT_VAR) { |
330 | 483 | write++; |
331 | 483 | break; |
332 | 483 | } |
333 | 1.45k | } |
334 | 46.0k | } |
335 | | |
336 | 103k | sm = sm->next; |
337 | 103k | } |
338 | | |
339 | 174k | sm = sig->init_data->smlists[DETECT_SM_LIST_MATCH]; |
340 | 174k | pd = NULL; |
341 | 249k | while (sm != NULL) { |
342 | 75.0k | if (sm->type == DETECT_PKTVAR) { |
343 | 3.26k | read++; |
344 | 3.26k | } |
345 | | |
346 | 75.0k | sm = sm->next; |
347 | 75.0k | } |
348 | | |
349 | 174k | if (read > 0 && write == 0) { |
350 | 163 | type = DETECT_PKTVAR_TYPE_READ; |
351 | 174k | } else if (read == 0 && write > 0) { |
352 | 243 | type = DETECT_PKTVAR_TYPE_SET; |
353 | 173k | } else if (read > 0 && write > 0) { |
354 | 18 | type = DETECT_PKTVAR_TYPE_SET_READ; |
355 | 18 | } |
356 | | |
357 | 174k | return type; |
358 | 174k | } |
359 | | |
360 | | /** |
361 | | * \brief Returns the xbit type set for this signature. If more than one |
362 | | * xbit has been set for the same rule, we return the xbit type of |
363 | | * the maximum priority/value, where priority/value is maximum for the |
364 | | * ones that set the value and the lowest for ones that read the value. |
365 | | * If no xbit has been set for the rule, we return 0, which indicates |
366 | | * the least value amongst xbit types. |
367 | | * |
368 | | * \param sig Pointer to the Signature from which the xbit value has to be |
369 | | * returned. |
370 | | * |
371 | | * \retval xbits The xbits type for this signature if it is set; if it is |
372 | | * not set, return 0 |
373 | | */ |
374 | | static inline int SCSigGetXbitsType(Signature *sig, enum VarTypes type) |
375 | 348k | { |
376 | 348k | DetectXbitsData *fb = NULL; |
377 | 348k | int xbits_user_type = DETECT_XBITS_NOT_USED; |
378 | 348k | int read = 0; |
379 | 348k | int write = 0; |
380 | 348k | SigMatch *sm = sig->init_data->smlists[DETECT_SM_LIST_MATCH]; |
381 | | |
382 | 498k | while (sm != NULL) { |
383 | 150k | if (sm->type == DETECT_XBITS) { |
384 | 574 | fb = (DetectXbitsData *)sm->ctx; |
385 | 574 | if (fb->type == type) { |
386 | 287 | if (fb->cmd == DETECT_XBITS_CMD_ISNOTSET || |
387 | 287 | fb->cmd == DETECT_XBITS_CMD_ISSET) { |
388 | 287 | read++; |
389 | 287 | } else { |
390 | | #ifdef DEBUG |
391 | | BUG_ON(1); |
392 | | #endif |
393 | 0 | } |
394 | 287 | } |
395 | 574 | } |
396 | | |
397 | 150k | sm = sm->next; |
398 | 150k | } |
399 | | |
400 | 348k | sm = sig->init_data->smlists[DETECT_SM_LIST_POSTMATCH]; |
401 | 402k | while (sm != NULL) { |
402 | 53.8k | if (sm->type == DETECT_HOSTBITS) { |
403 | 372 | fb = (DetectXbitsData *)sm->ctx; |
404 | 372 | if (fb->type == type) { |
405 | 186 | if (fb->cmd == DETECT_XBITS_CMD_SET || |
406 | 72 | fb->cmd == DETECT_XBITS_CMD_UNSET || |
407 | 186 | fb->cmd == DETECT_XBITS_CMD_TOGGLE) { |
408 | 186 | write++; |
409 | 186 | } else { |
410 | | #ifdef DEBUG |
411 | | BUG_ON(1); |
412 | | #endif |
413 | 0 | } |
414 | 186 | } |
415 | 372 | } |
416 | | |
417 | 53.8k | sm = sm->next; |
418 | 53.8k | } |
419 | | |
420 | 348k | if (read > 0 && write == 0) { |
421 | 134 | xbits_user_type = DETECT_XBITS_TYPE_READ; |
422 | 348k | } else if (read == 0 && write > 0) { |
423 | 78 | xbits_user_type = DETECT_XBITS_TYPE_SET; |
424 | 348k | } else if (read > 0 && write > 0) { |
425 | 0 | xbits_user_type = DETECT_XBITS_TYPE_SET_READ; |
426 | 0 | } |
427 | | |
428 | 348k | SCLogDebug("Sig %s typeval %d", sig->msg, xbits_user_type); |
429 | | |
430 | 348k | return xbits_user_type; |
431 | 348k | } |
432 | | |
433 | | /** |
434 | | * \brief Processes the flowbits data for this signature and caches it for |
435 | | * future use. This is needed to optimize the sig_ordering module. |
436 | | * |
437 | | * \param sw The sigwrapper/signature for which the flowbits data has to be |
438 | | * cached |
439 | | */ |
440 | | static inline void SCSigProcessUserDataForFlowbits(SCSigSignatureWrapper *sw) |
441 | 174k | { |
442 | 174k | sw->user[SC_RADIX_USER_DATA_FLOWBITS] = SCSigGetFlowbitsType(sw->sig); |
443 | 174k | } |
444 | | |
445 | | /** |
446 | | * \brief Processes the flowvar data for this signature and caches it for |
447 | | * future use. This is needed to optimize the sig_ordering module. |
448 | | * |
449 | | * \param sw The sigwrapper/signature for which the flowvar data has to be |
450 | | * cached |
451 | | */ |
452 | | static inline void SCSigProcessUserDataForFlowvar(SCSigSignatureWrapper *sw) |
453 | 174k | { |
454 | 174k | sw->user[SC_RADIX_USER_DATA_FLOWVAR] = SCSigGetFlowvarType(sw->sig); |
455 | 174k | } |
456 | | |
457 | | static inline void SCSigProcessUserDataForFlowint(SCSigSignatureWrapper *sw) |
458 | 174k | { |
459 | 174k | sw->user[SC_RADIX_USER_DATA_FLOWINT] = SCSigGetFlowintType(sw->sig); |
460 | 174k | } |
461 | | |
462 | | /** |
463 | | * \brief Processes the pktvar data for this signature and caches it for |
464 | | * future use. This is needed to optimize the sig_ordering module. |
465 | | * |
466 | | * \param sw The sigwrapper/signature for which the pktvar data has to be |
467 | | * cached |
468 | | */ |
469 | | static inline void SCSigProcessUserDataForPktvar(SCSigSignatureWrapper *sw) |
470 | 174k | { |
471 | 174k | sw->user[SC_RADIX_USER_DATA_PKTVAR] = SCSigGetPktvarType(sw->sig); |
472 | 174k | } |
473 | | |
474 | | /** |
475 | | * \brief Processes the hostbits data for this signature and caches it for |
476 | | * future use. This is needed to optimize the sig_ordering module. |
477 | | * |
478 | | * \param sw The sigwrapper/signature for which the hostbits data has to be |
479 | | * cached |
480 | | */ |
481 | | static inline void SCSigProcessUserDataForHostbits(SCSigSignatureWrapper *sw) |
482 | 174k | { |
483 | 174k | sw->user[SC_RADIX_USER_DATA_HOSTBITS] = SCSigGetXbitsType(sw->sig, VAR_TYPE_HOST_BIT); |
484 | 174k | } |
485 | | |
486 | | /** |
487 | | * \brief Processes the hostbits data for this signature and caches it for |
488 | | * future use. This is needed to optimize the sig_ordering module. |
489 | | * |
490 | | * \param sw The sigwrapper/signature for which the hostbits data has to be |
491 | | * cached |
492 | | */ |
493 | | static inline void SCSigProcessUserDataForIPPairbits(SCSigSignatureWrapper *sw) |
494 | 174k | { |
495 | 174k | sw->user[SC_RADIX_USER_DATA_IPPAIRBITS] = SCSigGetXbitsType(sw->sig, VAR_TYPE_IPPAIR_BIT); |
496 | 174k | } |
497 | | |
498 | | /* Return 1 if sw1 comes before sw2 in the final list. */ |
499 | | static int SCSigLessThan(SCSigSignatureWrapper *sw1, |
500 | | SCSigSignatureWrapper *sw2, |
501 | | SCSigOrderFunc *cmp_func_list) |
502 | 439k | { |
503 | 439k | SCSigOrderFunc *funcs = cmp_func_list; |
504 | | |
505 | 3.53M | while (funcs != NULL) { |
506 | 3.15M | int delta = funcs->SWCompare(sw1, sw2); |
507 | 3.15M | if (delta > 0) |
508 | 36.4k | return 1; |
509 | 3.11M | else if (delta < 0) |
510 | 24.0k | return 0; |
511 | | |
512 | 3.09M | funcs = funcs->next; |
513 | 3.09M | } |
514 | | // They are equal, so use sid as the final decider. |
515 | 378k | return sw1->sig->id < sw2->sig->id; |
516 | 439k | } |
517 | | |
518 | | /* Merge sort based on a list of compare functions |
519 | | * debug asserts are here to guide scan-build */ |
520 | | static SCSigSignatureWrapper *SCSigOrder(SCSigSignatureWrapper *sw, |
521 | | SCSigOrderFunc *cmp_func_list) |
522 | 297k | { |
523 | 297k | DEBUG_VALIDATE_BUG_ON(sw == NULL); |
524 | | |
525 | 297k | SCSigSignatureWrapper *subA = NULL; |
526 | 297k | SCSigSignatureWrapper *subB = NULL; |
527 | 297k | SCSigSignatureWrapper *first; |
528 | 297k | SCSigSignatureWrapper *second; |
529 | 297k | SCSigSignatureWrapper *result = NULL; |
530 | 297k | SCSigSignatureWrapper *last = NULL; |
531 | 297k | SCSigSignatureWrapper *new = NULL; |
532 | | |
533 | | /* Divide input list into two sub-lists. */ |
534 | 569k | while (sw != NULL) { |
535 | 483k | first = sw; |
536 | 483k | sw = sw->next; |
537 | | /* Push the first element onto sub-list A */ |
538 | 483k | first->next = subA; |
539 | 483k | subA = first; |
540 | | |
541 | 483k | if (sw == NULL) |
542 | 211k | break; |
543 | 271k | second = sw; |
544 | 271k | sw = sw->next; |
545 | | /* Push the second element onto sub-list B */ |
546 | 271k | second->next = subB; |
547 | 271k | subB = second; |
548 | 271k | } |
549 | 297k | if (subB == NULL) { |
550 | | /* Only zero or one element on the list. */ |
551 | 174k | return subA; |
552 | 174k | } |
553 | 123k | DEBUG_VALIDATE_BUG_ON(subA == NULL); |
554 | | |
555 | | /* Now sort each list */ |
556 | 123k | subA = SCSigOrder(subA, cmp_func_list); |
557 | 123k | subB = SCSigOrder(subB, cmp_func_list); |
558 | 123k | DEBUG_VALIDATE_BUG_ON(subA == NULL); |
559 | 123k | DEBUG_VALIDATE_BUG_ON(subB == NULL); |
560 | | |
561 | | /* Merge the two sorted lists. */ |
562 | 562k | while (subA != NULL && subB != NULL) { |
563 | 439k | if (SCSigLessThan(subA, subB, cmp_func_list)) { |
564 | 226k | new = subA; |
565 | 226k | subA = subA->next; |
566 | 226k | } else { |
567 | 212k | new = subB; |
568 | 212k | subB = subB->next; |
569 | 212k | } |
570 | | /* Push onto the end of the output list. */ |
571 | 439k | new->next = NULL; |
572 | 439k | if (result == NULL) { |
573 | 123k | result = new; |
574 | 123k | last = new; |
575 | 316k | } else { |
576 | 316k | last->next = new; |
577 | 316k | last = new; |
578 | 316k | } |
579 | 439k | } |
580 | | /* Attach the rest of any remaining list. Only one can be non-NULL here. */ |
581 | 123k | if (subA == NULL) |
582 | 53.3k | last->next = subB; |
583 | 69.7k | else if (subB == NULL) |
584 | 69.7k | last->next = subA; |
585 | | |
586 | 123k | return result; |
587 | 123k | } |
588 | | |
589 | | /** |
590 | | * \brief Orders an incoming Signature based on its action |
591 | | * |
592 | | * \param de_ctx Pointer to the detection engine context from which the |
593 | | * signatures have to be ordered. |
594 | | * \param sw The new signature that has to be ordered based on its action |
595 | | */ |
596 | | static int SCSigOrderByActionCompare(SCSigSignatureWrapper *sw1, |
597 | | SCSigSignatureWrapper *sw2) |
598 | 439k | { |
599 | 439k | return ActionOrderVal(sw2->sig->action) - ActionOrderVal(sw1->sig->action); |
600 | 439k | } |
601 | | |
602 | | /** |
603 | | * \brief Orders an incoming Signature based on its flowbits type |
604 | | * |
605 | | * \param de_ctx Pointer to the detection engine context from which the |
606 | | * signatures have to be ordered. |
607 | | * \param sw The new signature that has to be ordered based on its flowbits |
608 | | */ |
609 | | static int SCSigOrderByFlowbitsCompare(SCSigSignatureWrapper *sw1, |
610 | | SCSigSignatureWrapper *sw2) |
611 | 416k | { |
612 | 416k | return sw1->user[SC_RADIX_USER_DATA_FLOWBITS] - |
613 | 416k | sw2->user[SC_RADIX_USER_DATA_FLOWBITS]; |
614 | 416k | } |
615 | | |
616 | | /** |
617 | | * \brief Orders an incoming Signature based on its flowvar type |
618 | | * |
619 | | * \param de_ctx Pointer to the detection engine context from which the |
620 | | * signatures have to be ordered. |
621 | | * \param sw The new signature that has to be ordered based on its flowvar |
622 | | */ |
623 | | static int SCSigOrderByFlowvarCompare(SCSigSignatureWrapper *sw1, |
624 | | SCSigSignatureWrapper *sw2) |
625 | 380k | { |
626 | 380k | return sw1->user[SC_RADIX_USER_DATA_FLOWVAR] - |
627 | 380k | sw2->user[SC_RADIX_USER_DATA_FLOWVAR]; |
628 | 380k | } |
629 | | |
630 | | /** |
631 | | * \brief Orders an incoming Signature based on its pktvar type |
632 | | * |
633 | | * \param de_ctx Pointer to the detection engine context from which the |
634 | | * signatures have to be ordered. |
635 | | * \param sw The new signature that has to be ordered based on its pktvar |
636 | | */ |
637 | | static int SCSigOrderByPktvarCompare(SCSigSignatureWrapper *sw1, |
638 | | SCSigSignatureWrapper *sw2) |
639 | 379k | { |
640 | 379k | return sw1->user[SC_RADIX_USER_DATA_PKTVAR] - |
641 | 379k | sw2->user[SC_RADIX_USER_DATA_PKTVAR]; |
642 | 379k | } |
643 | | |
644 | | static int SCSigOrderByFlowintCompare(SCSigSignatureWrapper *sw1, |
645 | | SCSigSignatureWrapper *sw2) |
646 | 402k | { |
647 | 402k | return sw1->user[SC_RADIX_USER_DATA_FLOWINT] - |
648 | 402k | sw2->user[SC_RADIX_USER_DATA_FLOWINT]; |
649 | 402k | } |
650 | | |
651 | | /** |
652 | | * \brief Orders an incoming Signature based on its hostbits type |
653 | | * |
654 | | * \param de_ctx Pointer to the detection engine context from which the |
655 | | * signatures have to be ordered. |
656 | | * \param sw The new signature that has to be ordered based on its hostbits |
657 | | */ |
658 | | static int SCSigOrderByHostbitsCompare(SCSigSignatureWrapper *sw1, |
659 | | SCSigSignatureWrapper *sw2) |
660 | 379k | { |
661 | 379k | return sw1->user[SC_RADIX_USER_DATA_HOSTBITS] - |
662 | 379k | sw2->user[SC_RADIX_USER_DATA_HOSTBITS]; |
663 | 379k | } |
664 | | |
665 | | /** |
666 | | * \brief Orders an incoming Signature based on its ippairbits (xbits) type |
667 | | * |
668 | | * \param de_ctx Pointer to the detection engine context from which the |
669 | | * signatures have to be ordered. |
670 | | * \param sw The new signature that has to be ordered based on its bits |
671 | | */ |
672 | | static int SCSigOrderByIPPairbitsCompare(SCSigSignatureWrapper *sw1, |
673 | | SCSigSignatureWrapper *sw2) |
674 | 379k | { |
675 | 379k | return sw1->user[SC_RADIX_USER_DATA_IPPAIRBITS] - |
676 | 379k | sw2->user[SC_RADIX_USER_DATA_IPPAIRBITS]; |
677 | 379k | } |
678 | | |
679 | | /** |
680 | | * \brief Orders an incoming Signature based on its priority type |
681 | | * |
682 | | * \param de_ctx Pointer to the detection engine context from which the |
683 | | * signatures have to be ordered. |
684 | | * \param sw The new signature that has to be ordered based on its priority |
685 | | */ |
686 | | static int SCSigOrderByPriorityCompare(SCSigSignatureWrapper *sw1, |
687 | | SCSigSignatureWrapper *sw2) |
688 | 379k | { |
689 | 379k | if (sw1->sig->prio > sw2->sig->prio) { |
690 | 201 | return -1; |
691 | 378k | } else if (sw1->sig->prio < sw2->sig->prio) { |
692 | 246 | return 1; |
693 | 246 | } |
694 | 378k | return 0; |
695 | 379k | } |
696 | | |
697 | | /** |
698 | | * \brief Creates a Wrapper around the Signature |
699 | | * |
700 | | * \param Pointer to the Signature to be wrapped |
701 | | * |
702 | | * \retval sw Pointer to the wrapper that holds the signature |
703 | | */ |
704 | | static inline SCSigSignatureWrapper *SCSigAllocSignatureWrapper(Signature *sig) |
705 | 174k | { |
706 | 174k | SCSigSignatureWrapper *sw = NULL; |
707 | | |
708 | 174k | if ( (sw = SCMalloc(sizeof(SCSigSignatureWrapper))) == NULL) |
709 | 0 | return NULL; |
710 | 174k | memset(sw, 0, sizeof(SCSigSignatureWrapper)); |
711 | | |
712 | 174k | sw->sig = sig; |
713 | | |
714 | | /* Process data from the signature into a cache for further use by the |
715 | | * sig_ordering module */ |
716 | 174k | SCSigProcessUserDataForFlowbits(sw); |
717 | 174k | SCSigProcessUserDataForFlowvar(sw); |
718 | 174k | SCSigProcessUserDataForFlowint(sw); |
719 | 174k | SCSigProcessUserDataForPktvar(sw); |
720 | 174k | SCSigProcessUserDataForHostbits(sw); |
721 | 174k | SCSigProcessUserDataForIPPairbits(sw); |
722 | | |
723 | 174k | return sw; |
724 | 174k | } |
725 | | |
726 | | /** |
727 | | * \brief Orders the signatures |
728 | | * |
729 | | * \param de_ctx Pointer to the Detection Engine Context that holds the |
730 | | * signatures to be ordered |
731 | | */ |
732 | | void SCSigOrderSignatures(DetectEngineCtx *de_ctx) |
733 | 60.6k | { |
734 | 60.6k | if (de_ctx->sig_list == NULL) { |
735 | 40.5k | SCLogDebug("no signatures to order"); |
736 | 40.5k | return; |
737 | 40.5k | } |
738 | | |
739 | 20.0k | Signature *sig = NULL; |
740 | 20.0k | SCSigSignatureWrapper *sigw = NULL; |
741 | 20.0k | SCSigSignatureWrapper *sigw_list = NULL; |
742 | | #ifdef DEBUG |
743 | | int i = 0; |
744 | | #endif |
745 | 20.0k | SCLogDebug("ordering signatures in memory"); |
746 | | |
747 | 20.0k | sig = de_ctx->sig_list; |
748 | 77.1k | while (sig != NULL) { |
749 | 57.0k | sigw = SCSigAllocSignatureWrapper(sig); |
750 | | /* Push signature wrapper onto a list, order doesn't matter here. */ |
751 | 57.0k | sigw->next = sigw_list; |
752 | 57.0k | sigw_list = sigw; |
753 | | |
754 | 57.0k | sig = sig->next; |
755 | | #ifdef DEBUG |
756 | | i++; |
757 | | #endif |
758 | 57.0k | } |
759 | | |
760 | | /* Sort the list */ |
761 | 20.0k | sigw_list = SCSigOrder(sigw_list, de_ctx->sc_sig_order_funcs); |
762 | | |
763 | 20.0k | SCLogDebug("Total Signatures to be processed by the" |
764 | 20.0k | "sigordering module: %d", i); |
765 | | |
766 | | /* Recreate the sig list in order */ |
767 | 20.0k | de_ctx->sig_list = NULL; |
768 | 20.0k | sigw = sigw_list; |
769 | | #ifdef DEBUG |
770 | | i = 0; |
771 | | #endif |
772 | 77.1k | while (sigw != NULL) { |
773 | | #ifdef DEBUG |
774 | | i++; |
775 | | #endif |
776 | 57.0k | sigw->sig->next = NULL; |
777 | 57.0k | if (de_ctx->sig_list == NULL) { |
778 | | /* First entry on the list */ |
779 | 20.0k | de_ctx->sig_list = sigw->sig; |
780 | 20.0k | sig = de_ctx->sig_list; |
781 | 36.9k | } else { |
782 | 36.9k | sig->next = sigw->sig; |
783 | 36.9k | sig = sig->next; |
784 | 36.9k | } |
785 | 57.0k | SCSigSignatureWrapper *sigw_to_free = sigw; |
786 | 57.0k | sigw = sigw->next; |
787 | 57.0k | SCFree(sigw_to_free); |
788 | 57.0k | } |
789 | | |
790 | 20.0k | SCLogDebug("total signatures reordered by the sigordering module: %d", i); |
791 | 20.0k | } |
792 | | |
793 | | /** |
794 | | * \brief Lets you register the Signature ordering functions. The order in |
795 | | * which the functions are registered shows the priority. The first |
796 | | * function registered provides more priority than the function |
797 | | * registered after it. To add a new registration function, register |
798 | | * it by listing it in the correct position in the below sequence, |
799 | | * based on the priority you would want to offer to that keyword. |
800 | | * |
801 | | * \param de_ctx Pointer to the detection engine context from which the |
802 | | * signatures have to be ordered. |
803 | | */ |
804 | | void SCSigRegisterSignatureOrderingFuncs(DetectEngineCtx *de_ctx) |
805 | 130k | { |
806 | 130k | SCLogDebug("registering signature ordering functions"); |
807 | | |
808 | 130k | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare); |
809 | 130k | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare); |
810 | 130k | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowintCompare); |
811 | 130k | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare); |
812 | 130k | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare); |
813 | 130k | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByHostbitsCompare); |
814 | 130k | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByIPPairbitsCompare); |
815 | 130k | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare); |
816 | 130k | } |
817 | | |
818 | | /** |
819 | | * \brief De-registers all the signature ordering functions registered |
820 | | * |
821 | | * \param de_ctx Pointer to the detection engine context from which the |
822 | | * signatures were ordered. |
823 | | */ |
824 | | void SCSigSignatureOrderingModuleCleanup(DetectEngineCtx *de_ctx) |
825 | 261k | { |
826 | 261k | SCSigOrderFunc *funcs; |
827 | 261k | void *temp; |
828 | | |
829 | | /* clean the memory alloted to the signature ordering funcs */ |
830 | 261k | funcs = de_ctx->sc_sig_order_funcs; |
831 | 1.30M | while (funcs != NULL) { |
832 | 1.04M | temp = funcs; |
833 | 1.04M | funcs = funcs->next; |
834 | 1.04M | SCFree(temp); |
835 | 1.04M | } |
836 | 261k | de_ctx->sc_sig_order_funcs = NULL; |
837 | 261k | } |
838 | | |
839 | | /**********Unittests**********/ |
840 | | |
841 | | DetectEngineCtx *DetectEngineCtxInit(void); |
842 | | Signature *DetectEngineAppendSig(DetectEngineCtx *, const char *); |
843 | | void SigFree(DetectEngineCtx *, Signature *); |
844 | | void DetectEngineCtxFree(DetectEngineCtx *); |
845 | | |
846 | | #ifdef UNITTESTS |
847 | | |
848 | | static int SCSigOrderingTest01(void) |
849 | | { |
850 | | SCSigOrderFunc *temp = NULL; |
851 | | int i = 0; |
852 | | |
853 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
854 | | FAIL_IF_NULL(de_ctx); |
855 | | |
856 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare); |
857 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare); |
858 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare); |
859 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare); |
860 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare); |
861 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare); |
862 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare); |
863 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare); |
864 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare); |
865 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare); |
866 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare); |
867 | | |
868 | | temp = de_ctx->sc_sig_order_funcs; |
869 | | while (temp != NULL) { |
870 | | i++; |
871 | | temp = temp->next; |
872 | | } |
873 | | |
874 | | DetectEngineCtxFree(de_ctx); |
875 | | |
876 | | FAIL_IF_NOT(i == 5); |
877 | | |
878 | | PASS; |
879 | | } |
880 | | |
881 | | static int SCSigOrderingTest02(void) |
882 | | { |
883 | | Signature *sig = NULL; |
884 | | |
885 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
886 | | FAIL_IF(de_ctx == NULL); |
887 | | |
888 | | sig = DetectEngineAppendSig(de_ctx, |
889 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)"); |
890 | | FAIL_IF_NULL(sig); |
891 | | |
892 | | sig = DetectEngineAppendSig(de_ctx, |
893 | | "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:2;)"); |
894 | | FAIL_IF_NULL(sig); |
895 | | |
896 | | sig = DetectEngineAppendSig(de_ctx, |
897 | | "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:3;)"); |
898 | | FAIL_IF_NULL(sig); |
899 | | |
900 | | sig = DetectEngineAppendSig(de_ctx, |
901 | | "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; flowvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:4;)"); |
902 | | FAIL_IF_NULL(sig); |
903 | | |
904 | | sig = DetectEngineAppendSig(de_ctx, |
905 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:5;)"); |
906 | | FAIL_IF_NULL(sig); |
907 | | |
908 | | sig = DetectEngineAppendSig(de_ctx, |
909 | | "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:6;)"); |
910 | | FAIL_IF_NULL(sig); |
911 | | |
912 | | sig = DetectEngineAppendSig(de_ctx, |
913 | | "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:7;)"); |
914 | | FAIL_IF_NULL(sig); |
915 | | |
916 | | sig = DetectEngineAppendSig(de_ctx, |
917 | | "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)"); |
918 | | FAIL_IF_NULL(sig); |
919 | | |
920 | | sig = DetectEngineAppendSig(de_ctx, |
921 | | "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; flowbits:set,TEST.one; flowbits:noalert; sid:9;)"); |
922 | | FAIL_IF_NULL(sig); |
923 | | |
924 | | sig = DetectEngineAppendSig(de_ctx, |
925 | | "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)"); |
926 | | FAIL_IF_NULL(sig); |
927 | | |
928 | | sig = DetectEngineAppendSig(de_ctx, |
929 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)"); |
930 | | FAIL_IF_NULL(sig); |
931 | | |
932 | | sig = DetectEngineAppendSig(de_ctx, |
933 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)"); |
934 | | FAIL_IF_NULL(sig); |
935 | | |
936 | | sig = DetectEngineAppendSig(de_ctx, |
937 | | "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; pktvar:http_host,\"www.oisf.net\"; priority:2; flowbits:isnotset,TEST.two; sid:13;)"); |
938 | | FAIL_IF_NULL(sig); |
939 | | |
940 | | sig = DetectEngineAppendSig(de_ctx, |
941 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; flowbits:set,TEST.two; sid:14;)"); |
942 | | FAIL_IF_NULL(sig); |
943 | | |
944 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare); |
945 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare); |
946 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare); |
947 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare); |
948 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare); |
949 | | SCSigOrderSignatures(de_ctx); |
950 | | |
951 | | sig = de_ctx->sig_list; |
952 | | |
953 | | #ifdef DEBUG |
954 | | while (sig != NULL) { |
955 | | printf("sid: %d\n", sig->id); |
956 | | sig = sig->next; |
957 | | } |
958 | | #endif |
959 | | |
960 | | sig = de_ctx->sig_list; |
961 | | |
962 | | /* pass */ |
963 | | FAIL_IF_NOT(sig->id == 6); |
964 | | sig = sig->next; |
965 | | FAIL_IF_NOT(sig->id == 4); |
966 | | sig = sig->next; |
967 | | FAIL_IF_NOT(sig->id == 8); |
968 | | sig = sig->next; |
969 | | FAIL_IF_NOT(sig->id == 7); |
970 | | sig = sig->next; |
971 | | FAIL_IF_NOT(sig->id == 10); |
972 | | sig = sig->next; |
973 | | |
974 | | /* drops */ |
975 | | FAIL_IF_NOT(sig->id == 9); |
976 | | sig = sig->next; |
977 | | FAIL_IF_NOT(sig->id == 13); |
978 | | sig = sig->next; |
979 | | FAIL_IF_NOT(sig->id == 2); |
980 | | sig = sig->next; |
981 | | FAIL_IF_NOT(sig->id == 3); |
982 | | sig = sig->next; |
983 | | |
984 | | /* alerts */ |
985 | | FAIL_IF_NOT(sig->id == 14); |
986 | | sig = sig->next; |
987 | | FAIL_IF_NOT(sig->id == 5); |
988 | | sig = sig->next; |
989 | | FAIL_IF_NOT(sig->id == 1); |
990 | | sig = sig->next; |
991 | | FAIL_IF_NOT(sig->id == 11); |
992 | | sig = sig->next; |
993 | | FAIL_IF_NOT(sig->id == 12); |
994 | | sig = sig->next; |
995 | | |
996 | | DetectEngineCtxFree(de_ctx); |
997 | | PASS; |
998 | | } |
999 | | |
1000 | | static int SCSigOrderingTest03(void) |
1001 | | { |
1002 | | Signature *sig = NULL; |
1003 | | |
1004 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
1005 | | FAIL_IF_NULL(de_ctx); |
1006 | | |
1007 | | sig = DetectEngineAppendSig(de_ctx, |
1008 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; " |
1009 | | "offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:1;)"); |
1010 | | FAIL_IF_NULL(sig); |
1011 | | |
1012 | | sig = DetectEngineAppendSig(de_ctx, |
1013 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; " |
1014 | | "offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:2;)"); |
1015 | | FAIL_IF_NULL(sig); |
1016 | | |
1017 | | sig = DetectEngineAppendSig(de_ctx, |
1018 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; " |
1019 | | "offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; " |
1020 | | "flowbits:unset,TEST.one; rev:4; priority:2; sid:3;)"); |
1021 | | FAIL_IF_NULL(sig); |
1022 | | |
1023 | | sig = DetectEngineAppendSig(de_ctx, |
1024 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; " |
1025 | | "offset:0; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; " |
1026 | | "flowbits:isset,TEST.one; rev:4; priority:1; sid:4;)"); |
1027 | | FAIL_IF_NULL(sig); |
1028 | | |
1029 | | sig = DetectEngineAppendSig(de_ctx, |
1030 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1031 | | "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; priority:2; sid:5;)"); |
1032 | | FAIL_IF_NULL(sig); |
1033 | | |
1034 | | sig = DetectEngineAppendSig(de_ctx, |
1035 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1036 | | "content:\"220\"; offset:10; flowbits:isnotset,TEST.one; pcre:\"/^User-Agent: " |
1037 | | "(?P<flow_http_host>.*)\\r\\n/m\"; rev:4; sid:6;)"); |
1038 | | FAIL_IF_NULL(sig); |
1039 | | |
1040 | | sig = DetectEngineAppendSig(de_ctx, |
1041 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1042 | | "content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; " |
1043 | | "flowbits:unset,TEST.one; rev:4; priority:3; sid:7;)"); |
1044 | | FAIL_IF_NULL(sig); |
1045 | | |
1046 | | sig = DetectEngineAppendSig(de_ctx, |
1047 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; " |
1048 | | "offset:10; depth:4; pcre:\"/220[- ]/\"; flowbits:toggle,TEST.one; rev:4; priority:1; " |
1049 | | "pktvar:http_host,\"www.oisf.net\"; sid:8;)"); |
1050 | | FAIL_IF_NULL(sig); |
1051 | | |
1052 | | sig = DetectEngineAppendSig(de_ctx, |
1053 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1054 | | "content:\"220\"; offset:10; depth:4; rev:4; flowbits:set,TEST.one; " |
1055 | | "flowbits:noalert; pktvar:http_host,\"www.oisf.net\"; sid:9;)"); |
1056 | | FAIL_IF_NULL(sig); |
1057 | | |
1058 | | sig = DetectEngineAppendSig(de_ctx, |
1059 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; " |
1060 | | "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)"); |
1061 | | FAIL_IF_NULL(sig); |
1062 | | |
1063 | | sig = DetectEngineAppendSig(de_ctx, |
1064 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1065 | | "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)"); |
1066 | | FAIL_IF_NULL(sig); |
1067 | | |
1068 | | sig = DetectEngineAppendSig(de_ctx, |
1069 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1070 | | "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)"); |
1071 | | FAIL_IF_NULL(sig); |
1072 | | |
1073 | | sig = DetectEngineAppendSig(de_ctx, |
1074 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; " |
1075 | | "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:isnotset,TEST.one; sid:13;)"); |
1076 | | FAIL_IF_NULL(sig); |
1077 | | |
1078 | | sig = DetectEngineAppendSig(de_ctx, |
1079 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; " |
1080 | | "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:set,TEST.one; sid:14;)"); |
1081 | | FAIL_IF_NULL(sig); |
1082 | | |
1083 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare); |
1084 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare); |
1085 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare); |
1086 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare); |
1087 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare); |
1088 | | SCSigOrderSignatures(de_ctx); |
1089 | | |
1090 | | sig = de_ctx->sig_list; |
1091 | | |
1092 | | #ifdef DEBUG |
1093 | | while (sig != NULL) { |
1094 | | printf("sid: %d\n", sig->id); |
1095 | | sig = sig->next; |
1096 | | } |
1097 | | #endif |
1098 | | |
1099 | | sig = de_ctx->sig_list; |
1100 | | |
1101 | | FAIL_IF_NOT(sig->id == 3); |
1102 | | sig = sig->next; |
1103 | | |
1104 | | FAIL_IF_NOT(sig->id == 8); |
1105 | | sig = sig->next; |
1106 | | FAIL_IF_NOT(sig->id == 9); |
1107 | | sig = sig->next; |
1108 | | FAIL_IF_NOT(sig->id == 7); |
1109 | | sig = sig->next; |
1110 | | FAIL_IF_NOT(sig->id == 14); |
1111 | | sig = sig->next; |
1112 | | FAIL_IF_NOT(sig->id == 6); |
1113 | | sig = sig->next; |
1114 | | FAIL_IF_NOT(sig->id == 4); |
1115 | | sig = sig->next; |
1116 | | FAIL_IF_NOT(sig->id == 13); |
1117 | | sig = sig->next; |
1118 | | FAIL_IF_NOT(sig->id == 2); |
1119 | | sig = sig->next; |
1120 | | FAIL_IF_NOT(sig->id == 5); |
1121 | | sig = sig->next; |
1122 | | FAIL_IF_NOT(sig->id == 1); |
1123 | | sig = sig->next; |
1124 | | FAIL_IF_NOT(sig->id == 10); |
1125 | | sig = sig->next; |
1126 | | FAIL_IF_NOT(sig->id == 11); |
1127 | | sig = sig->next; |
1128 | | FAIL_IF_NOT(sig->id == 12); |
1129 | | |
1130 | | sig = sig->next; |
1131 | | |
1132 | | DetectEngineCtxFree(de_ctx); |
1133 | | |
1134 | | PASS; |
1135 | | } |
1136 | | |
1137 | | static int SCSigOrderingTest04(void) |
1138 | | { |
1139 | | |
1140 | | Signature *sig = NULL; |
1141 | | |
1142 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
1143 | | FAIL_IF(de_ctx == NULL); |
1144 | | |
1145 | | sig = DetectEngineAppendSig(de_ctx, |
1146 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1147 | | "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)"); |
1148 | | FAIL_IF_NULL(sig); |
1149 | | |
1150 | | sig = DetectEngineAppendSig(de_ctx, |
1151 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1152 | | "pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; " |
1153 | | "offset:10; rev:4; priority:3; sid:2;)"); |
1154 | | FAIL_IF_NULL(sig); |
1155 | | |
1156 | | sig = DetectEngineAppendSig(de_ctx, |
1157 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1158 | | "content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: " |
1159 | | "(?P<flow_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)"); |
1160 | | FAIL_IF_NULL(sig); |
1161 | | |
1162 | | sig = DetectEngineAppendSig(de_ctx, |
1163 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; " |
1164 | | "offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; rev:4; " |
1165 | | "priority:3; flowvar:http_host,\"www.oisf.net\"; sid:4;)"); |
1166 | | FAIL_IF_NULL(sig); |
1167 | | |
1168 | | sig = DetectEngineAppendSig(de_ctx, |
1169 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; " |
1170 | | "offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; " |
1171 | | "pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)"); |
1172 | | FAIL_IF_NULL(sig); |
1173 | | |
1174 | | sig = DetectEngineAppendSig(de_ctx, |
1175 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; " |
1176 | | "offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; " |
1177 | | "pktvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:6;)"); |
1178 | | FAIL_IF_NULL(sig); |
1179 | | |
1180 | | sig = DetectEngineAppendSig(de_ctx, |
1181 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; " |
1182 | | "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; flowvar:http_host,\"www.oisf.net\"; " |
1183 | | "pktvar:http_host,\"www.oisf.net\"; priority:1; sid:7;)"); |
1184 | | FAIL_IF_NULL(sig); |
1185 | | |
1186 | | sig = DetectEngineAppendSig(de_ctx, |
1187 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1188 | | "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; " |
1189 | | "flowvar:http_host,\"www.oisf.net\"; sid:8;)"); |
1190 | | FAIL_IF_NULL(sig); |
1191 | | |
1192 | | sig = DetectEngineAppendSig(de_ctx, |
1193 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1194 | | "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; " |
1195 | | "flowvar:http_host,\"www.oisf.net\"; sid:9;)"); |
1196 | | FAIL_IF_NULL(sig); |
1197 | | |
1198 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare); |
1199 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare); |
1200 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare); |
1201 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare); |
1202 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare); |
1203 | | SCSigOrderSignatures(de_ctx); |
1204 | | |
1205 | | sig = de_ctx->sig_list; |
1206 | | |
1207 | | #ifdef DEBUG |
1208 | | while (sig != NULL) { |
1209 | | printf("sid: %d\n", sig->id); |
1210 | | sig = sig->next; |
1211 | | } |
1212 | | #endif |
1213 | | |
1214 | | sig = de_ctx->sig_list; |
1215 | | |
1216 | | /* flowvar set */ |
1217 | | sig = sig->next; |
1218 | | FAIL_IF_NOT(sig->id == 3); |
1219 | | sig = sig->next; |
1220 | | FAIL_IF_NOT(sig->id == 4); |
1221 | | sig = sig->next; |
1222 | | FAIL_IF_NOT(sig->id == 7); |
1223 | | sig = sig->next; |
1224 | | FAIL_IF_NOT(sig->id == 8); |
1225 | | sig = sig->next; |
1226 | | FAIL_IF_NOT(sig->id == 9); |
1227 | | sig = sig->next; |
1228 | | |
1229 | | /* pktvar */ |
1230 | | |
1231 | | FAIL_IF_NOT(sig->id == 5); |
1232 | | sig = sig->next; |
1233 | | FAIL_IF_NOT(sig->id == 6); |
1234 | | sig = sig->next; |
1235 | | |
1236 | | FAIL_IF_NOT(sig->id == 1); |
1237 | | sig = sig->next; |
1238 | | |
1239 | | DetectEngineCtxFree(de_ctx); |
1240 | | |
1241 | | PASS; |
1242 | | } |
1243 | | |
1244 | | static int SCSigOrderingTest05(void) |
1245 | | { |
1246 | | Signature *sig = NULL; |
1247 | | |
1248 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
1249 | | FAIL_IF(de_ctx == NULL); |
1250 | | |
1251 | | sig = DetectEngineAppendSig(de_ctx, |
1252 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1253 | | "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)"); |
1254 | | FAIL_IF_NULL(sig); |
1255 | | |
1256 | | sig = DetectEngineAppendSig(de_ctx, |
1257 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1258 | | "pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; content:\"220\"; " |
1259 | | "offset:10; rev:4; priority:3; sid:2;)"); |
1260 | | FAIL_IF_NULL(sig); |
1261 | | |
1262 | | sig = DetectEngineAppendSig(de_ctx, |
1263 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1264 | | "content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: " |
1265 | | "(?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)"); |
1266 | | FAIL_IF_NULL(sig); |
1267 | | |
1268 | | sig = DetectEngineAppendSig(de_ctx, |
1269 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; " |
1270 | | "offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; " |
1271 | | "priority:3; pktvar:http_host,\"www.oisf.net\"; sid:4;)"); |
1272 | | FAIL_IF_NULL(sig); |
1273 | | |
1274 | | sig = DetectEngineAppendSig(de_ctx, |
1275 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; " |
1276 | | "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)"); |
1277 | | FAIL_IF_NULL(sig); |
1278 | | |
1279 | | sig = DetectEngineAppendSig(de_ctx, |
1280 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1281 | | "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:6;)"); |
1282 | | FAIL_IF_NULL(sig); |
1283 | | |
1284 | | sig = DetectEngineAppendSig(de_ctx, |
1285 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1286 | | "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; " |
1287 | | "pktvar:http_host,\"www.oisf.net\"; sid:7;)"); |
1288 | | FAIL_IF_NULL(sig); |
1289 | | |
1290 | | sig = DetectEngineAppendSig(de_ctx, |
1291 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1292 | | "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; " |
1293 | | "pktvar:http_host,\"www.oisf.net\"; sid:8;)"); |
1294 | | FAIL_IF_NULL(sig); |
1295 | | |
1296 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare); |
1297 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare); |
1298 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare); |
1299 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare); |
1300 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare); |
1301 | | SCSigOrderSignatures(de_ctx); |
1302 | | |
1303 | | sig = de_ctx->sig_list; |
1304 | | |
1305 | | //#ifdef DEBUG |
1306 | | while (sig != NULL) { |
1307 | | printf("sid: %d\n", sig->id); |
1308 | | sig = sig->next; |
1309 | | } |
1310 | | //#endif |
1311 | | |
1312 | | sig = de_ctx->sig_list; |
1313 | | |
1314 | | /* pktvar set */ |
1315 | | FAIL_IF_NOT(sig->id == 2); |
1316 | | sig = sig->next; |
1317 | | FAIL_IF_NOT(sig->id == 3); |
1318 | | sig = sig->next; |
1319 | | FAIL_IF_NOT(sig->id == 4); |
1320 | | sig = sig->next; |
1321 | | /* pktvar read */ |
1322 | | FAIL_IF_NOT(sig->id == 7); |
1323 | | sig = sig->next; |
1324 | | FAIL_IF_NOT(sig->id == 8); |
1325 | | sig = sig->next; |
1326 | | FAIL_IF_NOT(sig->id == 1); |
1327 | | sig = sig->next; |
1328 | | FAIL_IF_NOT(sig->id == 5); |
1329 | | sig = sig->next; |
1330 | | FAIL_IF_NOT(sig->id == 6); |
1331 | | sig = sig->next; |
1332 | | |
1333 | | DetectEngineCtxFree(de_ctx); |
1334 | | |
1335 | | PASS; |
1336 | | } |
1337 | | |
1338 | | static int SCSigOrderingTest06(void) |
1339 | | { |
1340 | | |
1341 | | Signature *sig = NULL; |
1342 | | |
1343 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
1344 | | FAIL_IF_NULL(de_ctx); |
1345 | | |
1346 | | sig = DetectEngineAppendSig(de_ctx, |
1347 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1348 | | "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)"); |
1349 | | FAIL_IF_NULL(sig); |
1350 | | |
1351 | | sig = DetectEngineAppendSig(de_ctx, |
1352 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1353 | | "content:\"220\"; offset:10; rev:4; priority:2; sid:2;)"); |
1354 | | FAIL_IF_NULL(sig); |
1355 | | |
1356 | | sig = DetectEngineAppendSig(de_ctx, |
1357 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1358 | | "content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)"); |
1359 | | FAIL_IF_NULL(sig); |
1360 | | |
1361 | | sig = DetectEngineAppendSig(de_ctx, |
1362 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; " |
1363 | | "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)"); |
1364 | | FAIL_IF_NULL(sig); |
1365 | | |
1366 | | sig = DetectEngineAppendSig(de_ctx, |
1367 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; " |
1368 | | "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)"); |
1369 | | FAIL_IF_NULL(sig); |
1370 | | |
1371 | | sig = DetectEngineAppendSig(de_ctx, |
1372 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; " |
1373 | | "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)"); |
1374 | | FAIL_IF_NULL(sig); |
1375 | | sig = DetectEngineAppendSig(de_ctx, |
1376 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; " |
1377 | | "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)"); |
1378 | | FAIL_IF_NULL(sig); |
1379 | | |
1380 | | sig = DetectEngineAppendSig(de_ctx, |
1381 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; " |
1382 | | "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)"); |
1383 | | FAIL_IF_NULL(sig); |
1384 | | |
1385 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare); |
1386 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare); |
1387 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare); |
1388 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare); |
1389 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare); |
1390 | | SCSigOrderSignatures(de_ctx); |
1391 | | |
1392 | | sig = de_ctx->sig_list; |
1393 | | |
1394 | | #ifdef DEBUG |
1395 | | while (sig != NULL) { |
1396 | | printf("sid: %d\n", sig->id); |
1397 | | sig = sig->next; |
1398 | | } |
1399 | | #endif |
1400 | | |
1401 | | sig = de_ctx->sig_list; |
1402 | | |
1403 | | FAIL_IF_NOT(sig->id == 6); |
1404 | | sig = sig->next; |
1405 | | FAIL_IF_NOT(sig->id == 2); |
1406 | | sig = sig->next; |
1407 | | FAIL_IF_NOT(sig->id == 4); |
1408 | | sig = sig->next; |
1409 | | FAIL_IF_NOT(sig->id == 5); |
1410 | | sig = sig->next; |
1411 | | FAIL_IF_NOT(sig->id == 7); |
1412 | | sig = sig->next; |
1413 | | FAIL_IF_NOT(sig->id == 8); |
1414 | | sig = sig->next; |
1415 | | FAIL_IF_NOT(sig->id == 1); |
1416 | | sig = sig->next; |
1417 | | FAIL_IF_NOT(sig->id == 3); |
1418 | | sig = sig->next; |
1419 | | |
1420 | | DetectEngineCtxFree(de_ctx); |
1421 | | |
1422 | | PASS; |
1423 | | } |
1424 | | static int SCSigOrderingTest07(void) |
1425 | | { |
1426 | | |
1427 | | Signature *sig = NULL; |
1428 | | |
1429 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
1430 | | FAIL_IF(de_ctx == NULL); |
1431 | | |
1432 | | sig = DetectEngineAppendSig(de_ctx, |
1433 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; " |
1434 | | "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)"); |
1435 | | FAIL_IF_NULL(sig); |
1436 | | |
1437 | | sig = DetectEngineAppendSig(de_ctx, |
1438 | | "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; " |
1439 | | "content:\"220\"; offset:10; sid:2; rev:4; priority:2;)"); |
1440 | | FAIL_IF_NULL(sig); |
1441 | | |
1442 | | sig = DetectEngineAppendSig(de_ctx, |
1443 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; " |
1444 | | "content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)"); |
1445 | | FAIL_IF_NULL(sig); |
1446 | | |
1447 | | sig = DetectEngineAppendSig(de_ctx, |
1448 | | "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; " |
1449 | | "content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)"); |
1450 | | FAIL_IF_NULL(sig); |
1451 | | |
1452 | | sig = DetectEngineAppendSig(de_ctx, |
1453 | | "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; " |
1454 | | "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)"); |
1455 | | FAIL_IF_NULL(sig); |
1456 | | |
1457 | | sig = DetectEngineAppendSig(de_ctx, |
1458 | | "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; " |
1459 | | "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)"); |
1460 | | FAIL_IF_NULL(sig); |
1461 | | |
1462 | | sig = DetectEngineAppendSig(de_ctx, |
1463 | | "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; " |
1464 | | "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4; priority:2;)"); |
1465 | | FAIL_IF_NULL(sig); |
1466 | | |
1467 | | sig = DetectEngineAppendSig(de_ctx, |
1468 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; " |
1469 | | "offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)"); |
1470 | | FAIL_IF_NULL(sig); |
1471 | | |
1472 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare); |
1473 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare); |
1474 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare); |
1475 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare); |
1476 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare); |
1477 | | SCSigOrderSignatures(de_ctx); |
1478 | | |
1479 | | sig = de_ctx->sig_list; |
1480 | | |
1481 | | #ifdef DEBUG |
1482 | | while (sig != NULL) { |
1483 | | printf("sid: %d\n", sig->id); |
1484 | | sig = sig->next; |
1485 | | } |
1486 | | #endif |
1487 | | |
1488 | | sig = de_ctx->sig_list; |
1489 | | |
1490 | | FAIL_IF_NOT(sig->id == 2); |
1491 | | sig = sig->next; |
1492 | | FAIL_IF_NOT(sig->id == 4); |
1493 | | sig = sig->next; |
1494 | | FAIL_IF_NOT(sig->id == 5); |
1495 | | sig = sig->next; |
1496 | | FAIL_IF_NOT(sig->id == 7); |
1497 | | sig = sig->next; |
1498 | | FAIL_IF_NOT(sig->id == 6); |
1499 | | sig = sig->next; |
1500 | | FAIL_IF_NOT(sig->id == 8); |
1501 | | sig = sig->next; |
1502 | | FAIL_IF_NOT(sig->id == 1); |
1503 | | sig = sig->next; |
1504 | | FAIL_IF_NOT(sig->id == 3); |
1505 | | sig = sig->next; |
1506 | | |
1507 | | DetectEngineCtxFree(de_ctx); |
1508 | | |
1509 | | PASS; |
1510 | | } |
1511 | | |
1512 | | /** |
1513 | | * \test Order with a different Action priority |
1514 | | * (as specified from config) |
1515 | | */ |
1516 | | static int SCSigOrderingTest08(void) |
1517 | | { |
1518 | | #ifdef HAVE_LIBNET11 |
1519 | | |
1520 | | Signature *sig = NULL; |
1521 | | extern uint8_t action_order_sigs[4]; |
1522 | | |
1523 | | /* Let's change the order. Default is pass, drop, reject, alert (pass has highest prio) */ |
1524 | | action_order_sigs[0] = ACTION_REJECT; |
1525 | | action_order_sigs[1] = ACTION_DROP; |
1526 | | action_order_sigs[2] = ACTION_ALERT; |
1527 | | action_order_sigs[3] = ACTION_PASS; |
1528 | | |
1529 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
1530 | | FAIL_IF(de_ctx == NULL); |
1531 | | |
1532 | | sig = DetectEngineAppendSig(de_ctx, |
1533 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; " |
1534 | | "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)"); |
1535 | | FAIL_IF_NULL(sig); |
1536 | | |
1537 | | sig = DetectEngineAppendSig(de_ctx, |
1538 | | "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; " |
1539 | | "content:\"220\"; offset:10; sid:2; rev:4; priority:2;)"); |
1540 | | FAIL_IF_NULL(sig); |
1541 | | |
1542 | | sig = DetectEngineAppendSig(de_ctx, |
1543 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; " |
1544 | | "content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)"); |
1545 | | FAIL_IF_NULL(sig); |
1546 | | |
1547 | | sig = DetectEngineAppendSig(de_ctx, |
1548 | | "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; " |
1549 | | "content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)"); |
1550 | | FAIL_IF_NULL(sig); |
1551 | | |
1552 | | sig = DetectEngineAppendSig(de_ctx, |
1553 | | "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; " |
1554 | | "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)"); |
1555 | | FAIL_IF_NULL(sig); |
1556 | | |
1557 | | sig = DetectEngineAppendSig(de_ctx, |
1558 | | "reject tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; " |
1559 | | "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)"); |
1560 | | FAIL_IF_NULL(sig); |
1561 | | |
1562 | | sig = DetectEngineAppendSig(de_ctx, |
1563 | | "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; " |
1564 | | "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4;)"); |
1565 | | FAIL_IF_NULL(sig); |
1566 | | |
1567 | | sig = DetectEngineAppendSig(de_ctx, |
1568 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; " |
1569 | | "offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)"); |
1570 | | FAIL_IF_NULL(sig); |
1571 | | |
1572 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare); |
1573 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare); |
1574 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare); |
1575 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare); |
1576 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare); |
1577 | | SCSigOrderSignatures(de_ctx); |
1578 | | |
1579 | | sig = de_ctx->sig_list; |
1580 | | |
1581 | | #ifdef DEBUG |
1582 | | while (sig != NULL) { |
1583 | | printf("sid: %d\n", sig->id); |
1584 | | sig = sig->next; |
1585 | | } |
1586 | | #endif |
1587 | | |
1588 | | sig = de_ctx->sig_list; |
1589 | | |
1590 | | FAIL_IF_NOT(sig->id == 6); |
1591 | | sig = sig->next; |
1592 | | FAIL_IF_NOT(sig->id == 8); |
1593 | | sig = sig->next; |
1594 | | FAIL_IF_NOT(sig->id == 1); |
1595 | | sig = sig->next; |
1596 | | FAIL_IF_NOT(sig->id == 3); |
1597 | | sig = sig->next; |
1598 | | FAIL_IF_NOT(sig->id == 2); |
1599 | | sig = sig->next; |
1600 | | FAIL_IF_NOT(sig->id == 4); |
1601 | | sig = sig->next; |
1602 | | FAIL_IF_NOT(sig->id == 5); |
1603 | | sig = sig->next; |
1604 | | FAIL_IF_NOT(sig->id == 7); |
1605 | | sig = sig->next; |
1606 | | |
1607 | | /* Restore the default pre-order definition */ |
1608 | | action_order_sigs[0] = ACTION_PASS; |
1609 | | action_order_sigs[1] = ACTION_DROP; |
1610 | | action_order_sigs[2] = ACTION_REJECT; |
1611 | | action_order_sigs[3] = ACTION_ALERT; |
1612 | | |
1613 | | DetectEngineCtxFree(de_ctx); |
1614 | | |
1615 | | #endif |
1616 | | PASS; |
1617 | | } |
1618 | | |
1619 | | /** |
1620 | | * \test Order with a different Action priority |
1621 | | * (as specified from config) |
1622 | | */ |
1623 | | static int SCSigOrderingTest09(void) |
1624 | | { |
1625 | | |
1626 | | Signature *sig = NULL; |
1627 | | extern uint8_t action_order_sigs[4]; |
1628 | | |
1629 | | /* Let's change the order. Default is pass, drop, reject, alert (pass has highest prio) */ |
1630 | | action_order_sigs[0] = ACTION_DROP; |
1631 | | action_order_sigs[1] = ACTION_REJECT; |
1632 | | action_order_sigs[2] = ACTION_ALERT; |
1633 | | action_order_sigs[3] = ACTION_PASS; |
1634 | | |
1635 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
1636 | | FAIL_IF(de_ctx == NULL); |
1637 | | |
1638 | | sig = DetectEngineAppendSig(de_ctx, |
1639 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; " |
1640 | | "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1;)"); |
1641 | | FAIL_IF_NULL(sig); |
1642 | | |
1643 | | sig = DetectEngineAppendSig(de_ctx, |
1644 | | "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; " |
1645 | | "content:\"220\"; offset:10; priority:2; sid:2;)"); |
1646 | | FAIL_IF_NULL(sig); |
1647 | | |
1648 | | sig = DetectEngineAppendSig(de_ctx, |
1649 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; " |
1650 | | "content:\"220\"; offset:10; depth:4; priority:3; sid:3;)"); |
1651 | | FAIL_IF_NULL(sig); |
1652 | | |
1653 | | sig = DetectEngineAppendSig(de_ctx, |
1654 | | "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; " |
1655 | | "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)"); |
1656 | | FAIL_IF_NULL(sig); |
1657 | | |
1658 | | sig = DetectEngineAppendSig(de_ctx, |
1659 | | "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; " |
1660 | | "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)"); |
1661 | | FAIL_IF_NULL(sig); |
1662 | | |
1663 | | sig = DetectEngineAppendSig(de_ctx, |
1664 | | "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; " |
1665 | | "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)"); |
1666 | | FAIL_IF_NULL(sig); |
1667 | | |
1668 | | sig = DetectEngineAppendSig(de_ctx, |
1669 | | "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; " |
1670 | | "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)"); |
1671 | | FAIL_IF_NULL(sig); |
1672 | | |
1673 | | sig = DetectEngineAppendSig(de_ctx, |
1674 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; " |
1675 | | "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)"); |
1676 | | FAIL_IF_NULL(sig); |
1677 | | |
1678 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare); |
1679 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare); |
1680 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare); |
1681 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare); |
1682 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare); |
1683 | | SCSigOrderSignatures(de_ctx); |
1684 | | |
1685 | | sig = de_ctx->sig_list; |
1686 | | |
1687 | | #ifdef DEBUG |
1688 | | while (sig != NULL) { |
1689 | | printf("sid: %d\n", sig->id); |
1690 | | sig = sig->next; |
1691 | | } |
1692 | | #endif |
1693 | | |
1694 | | sig = de_ctx->sig_list; |
1695 | | |
1696 | | FAIL_IF_NOT(sig->id == 6); |
1697 | | sig = sig->next; |
1698 | | FAIL_IF_NOT(sig->id == 7); |
1699 | | sig = sig->next; |
1700 | | FAIL_IF_NOT(sig->id == 8); |
1701 | | sig = sig->next; |
1702 | | FAIL_IF_NOT(sig->id == 1); |
1703 | | sig = sig->next; |
1704 | | FAIL_IF_NOT(sig->id == 3); |
1705 | | sig = sig->next; |
1706 | | FAIL_IF_NOT(sig->id == 2); |
1707 | | sig = sig->next; |
1708 | | FAIL_IF_NOT(sig->id == 4); |
1709 | | sig = sig->next; |
1710 | | FAIL_IF_NOT(sig->id == 5); |
1711 | | sig = sig->next; |
1712 | | |
1713 | | /* Restore the default pre-order definition */ |
1714 | | action_order_sigs[0] = ACTION_DROP; |
1715 | | action_order_sigs[1] = ACTION_REJECT; |
1716 | | action_order_sigs[2] = ACTION_PASS; |
1717 | | action_order_sigs[3] = ACTION_ALERT; |
1718 | | |
1719 | | DetectEngineCtxFree(de_ctx); |
1720 | | PASS; |
1721 | | } |
1722 | | |
1723 | | /** |
1724 | | * \test Order with a different Action priority |
1725 | | * (as specified from config) |
1726 | | */ |
1727 | | static int SCSigOrderingTest10(void) |
1728 | | { |
1729 | | |
1730 | | Signature *sig = NULL; |
1731 | | extern uint8_t action_order_sigs[4]; |
1732 | | |
1733 | | /* Let's change the order. Default is pass, drop, reject, alert (pass has highest prio) */ |
1734 | | action_order_sigs[0] = ACTION_PASS; |
1735 | | action_order_sigs[1] = ACTION_ALERT; |
1736 | | action_order_sigs[2] = ACTION_DROP; |
1737 | | action_order_sigs[3] = ACTION_REJECT; |
1738 | | |
1739 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
1740 | | FAIL_IF(de_ctx == NULL); |
1741 | | |
1742 | | sig = DetectEngineAppendSig(de_ctx, |
1743 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; " |
1744 | | "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)"); |
1745 | | FAIL_IF_NULL(sig); |
1746 | | |
1747 | | sig = DetectEngineAppendSig(de_ctx, |
1748 | | "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; " |
1749 | | "content:\"220\"; offset:10; rev:4; priority:2; sid:2;)"); |
1750 | | FAIL_IF_NULL(sig); |
1751 | | |
1752 | | sig = DetectEngineAppendSig(de_ctx, |
1753 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; " |
1754 | | "content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)"); |
1755 | | FAIL_IF_NULL(sig); |
1756 | | |
1757 | | sig = DetectEngineAppendSig(de_ctx, |
1758 | | "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; " |
1759 | | "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)"); |
1760 | | FAIL_IF_NULL(sig); |
1761 | | |
1762 | | sig = DetectEngineAppendSig(de_ctx, |
1763 | | "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; " |
1764 | | "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)"); |
1765 | | FAIL_IF_NULL(sig); |
1766 | | |
1767 | | sig = DetectEngineAppendSig(de_ctx, |
1768 | | "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; " |
1769 | | "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)"); |
1770 | | FAIL_IF_NULL(sig); |
1771 | | |
1772 | | sig = DetectEngineAppendSig(de_ctx, |
1773 | | "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; " |
1774 | | "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)"); |
1775 | | FAIL_IF_NULL(sig); |
1776 | | |
1777 | | sig = DetectEngineAppendSig(de_ctx, |
1778 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; " |
1779 | | "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)"); |
1780 | | FAIL_IF_NULL(sig); |
1781 | | |
1782 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare); |
1783 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare); |
1784 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare); |
1785 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare); |
1786 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare); |
1787 | | SCSigOrderSignatures(de_ctx); |
1788 | | |
1789 | | sig = de_ctx->sig_list; |
1790 | | |
1791 | | #ifdef DEBUG |
1792 | | while (sig != NULL) { |
1793 | | printf("sid: %d\n", sig->id); |
1794 | | sig = sig->next; |
1795 | | } |
1796 | | #endif |
1797 | | |
1798 | | sig = de_ctx->sig_list; |
1799 | | |
1800 | | FAIL_IF_NOT(sig->id == 2); |
1801 | | sig = sig->next; |
1802 | | FAIL_IF_NOT(sig->id == 4); |
1803 | | sig = sig->next; |
1804 | | FAIL_IF_NOT(sig->id == 5); |
1805 | | sig = sig->next; |
1806 | | FAIL_IF_NOT(sig->id == 8); |
1807 | | sig = sig->next; |
1808 | | FAIL_IF_NOT(sig->id == 1); |
1809 | | sig = sig->next; |
1810 | | FAIL_IF_NOT(sig->id == 3); |
1811 | | sig = sig->next; |
1812 | | FAIL_IF_NOT(sig->id == 6); |
1813 | | sig = sig->next; |
1814 | | FAIL_IF_NOT(sig->id == 7); |
1815 | | sig = sig->next; |
1816 | | |
1817 | | /* Restore the default pre-order definition */ |
1818 | | action_order_sigs[0] = ACTION_PASS; |
1819 | | action_order_sigs[1] = ACTION_DROP; |
1820 | | action_order_sigs[2] = ACTION_REJECT; |
1821 | | action_order_sigs[3] = ACTION_ALERT; |
1822 | | |
1823 | | DetectEngineCtxFree(de_ctx); |
1824 | | PASS; |
1825 | | } |
1826 | | |
1827 | | static int SCSigOrderingTest11(void) |
1828 | | { |
1829 | | |
1830 | | Signature *sig = NULL; |
1831 | | |
1832 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
1833 | | FAIL_IF(de_ctx == NULL); |
1834 | | |
1835 | | sig = DetectEngineAppendSig(de_ctx, |
1836 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering set\"; " |
1837 | | "flowbits:isnotset,myflow1; rev:4; sid:1;)"); |
1838 | | FAIL_IF_NULL(sig); |
1839 | | |
1840 | | sig = DetectEngineAppendSig(de_ctx, |
1841 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering toggle\"; " |
1842 | | "flowbits:toggle,myflow2; rev:4; sid:2;)"); |
1843 | | FAIL_IF_NULL(sig); |
1844 | | |
1845 | | sig = DetectEngineAppendSig(de_ctx, |
1846 | | "alert tcp any !21:902 -> any any (msg:\"Testing sigordering unset\"; " |
1847 | | "flowbits:isset, myflow1; flowbits:unset,myflow2; rev:4; priority:3; sid:3;)"); |
1848 | | FAIL_IF_NULL(sig); |
1849 | | |
1850 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare); |
1851 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare); |
1852 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare); |
1853 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare); |
1854 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare); |
1855 | | SCSigOrderSignatures(de_ctx); |
1856 | | |
1857 | | sig = de_ctx->sig_list; |
1858 | | |
1859 | | #ifdef DEBUG |
1860 | | while (sig != NULL) { |
1861 | | printf("sid: %d\n", sig->id); |
1862 | | sig = sig->next; |
1863 | | } |
1864 | | #endif |
1865 | | |
1866 | | sig = de_ctx->sig_list; |
1867 | | |
1868 | | FAIL_IF_NOT(sig->id == 2); |
1869 | | sig = sig->next; |
1870 | | FAIL_IF_NOT(sig->id == 3); |
1871 | | sig = sig->next; |
1872 | | FAIL_IF_NOT(sig->id == 1); |
1873 | | sig = sig->next; |
1874 | | |
1875 | | DetectEngineCtxFree(de_ctx); |
1876 | | PASS; |
1877 | | } |
1878 | | |
1879 | | static int SCSigOrderingTest12(void) |
1880 | | { |
1881 | | Signature *sig = NULL; |
1882 | | Packet *p = NULL; |
1883 | | uint8_t buf[] = "test message"; |
1884 | | Flow f; |
1885 | | |
1886 | | FLOW_INITIALIZE(&f); |
1887 | | f.flags |= FLOW_IPV4; |
1888 | | f.alproto = ALPROTO_UNKNOWN; |
1889 | | f.proto = IPPROTO_TCP; |
1890 | | |
1891 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
1892 | | FAIL_IF(de_ctx == NULL); |
1893 | | de_ctx->flags |= DE_QUIET; |
1894 | | |
1895 | | const char *sigs[2]; |
1896 | | sigs[0] = "alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:isset,one; flowbits:set,two; sid:1;)"; |
1897 | | sigs[1] = "alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:set,one; sid:2;)"; |
1898 | | UTHAppendSigs(de_ctx, sigs, 2); |
1899 | | |
1900 | | sig = de_ctx->sig_list; |
1901 | | FAIL_IF_NULL(sig); |
1902 | | FAIL_IF_NULL(sig->next); |
1903 | | FAIL_IF_NOT_NULL(sig->next->next); |
1904 | | FAIL_IF(de_ctx->signum != 2); |
1905 | | |
1906 | | FlowInitConfig(FLOW_QUIET); |
1907 | | p = UTHBuildPacket(buf, sizeof(buf), IPPROTO_TCP); |
1908 | | FAIL_IF_NULL(p); |
1909 | | |
1910 | | p->flow = &f; |
1911 | | p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; |
1912 | | p->flowflags |= FLOW_PKT_TOSERVER; |
1913 | | p->flowflags |= FLOW_PKT_ESTABLISHED; |
1914 | | |
1915 | | UTHMatchPackets(de_ctx, &p, 1); |
1916 | | |
1917 | | uint32_t sids[2] = {1, 2}; |
1918 | | uint32_t results[2] = {1, 1}; |
1919 | | FAIL_IF_NOT(UTHCheckPacketMatchResults(p, sids, results, 2)); |
1920 | | |
1921 | | UTHFreePackets(&p, 1); |
1922 | | |
1923 | | DetectEngineCtxFree(de_ctx); |
1924 | | |
1925 | | FlowShutdown(); |
1926 | | |
1927 | | PASS; |
1928 | | } |
1929 | | |
1930 | | /** \test Bug 1061 */ |
1931 | | static int SCSigOrderingTest13(void) |
1932 | | { |
1933 | | |
1934 | | Signature *sig = NULL; |
1935 | | |
1936 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
1937 | | FAIL_IF(de_ctx == NULL); |
1938 | | |
1939 | | sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flowbits:isset,bit1; flowbits:set,bit2; flowbits:set,bit3; sid:6;)"); |
1940 | | FAIL_IF_NULL(sig); |
1941 | | sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flowbits:set,bit1; flowbits:set,bit2; sid:7;)"); |
1942 | | FAIL_IF_NULL(sig); |
1943 | | sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flowbits:isset,bit1; flowbits:isset,bit2; flowbits:isset,bit3; sid:5;)"); |
1944 | | FAIL_IF_NULL(sig); |
1945 | | |
1946 | | SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare); |
1947 | | SCSigOrderSignatures(de_ctx); |
1948 | | |
1949 | | #ifdef DEBUG |
1950 | | sig = de_ctx->sig_list; |
1951 | | while (sig != NULL) { |
1952 | | printf("sid: %d\n", sig->id); |
1953 | | sig = sig->next; |
1954 | | } |
1955 | | #endif |
1956 | | |
1957 | | sig = de_ctx->sig_list; |
1958 | | |
1959 | | FAIL_IF_NOT(sig->id == 7); |
1960 | | sig = sig->next; |
1961 | | FAIL_IF_NOT(sig->id == 6); |
1962 | | sig = sig->next; |
1963 | | FAIL_IF_NOT(sig->id == 5); |
1964 | | sig = sig->next; |
1965 | | |
1966 | | DetectEngineCtxFree(de_ctx); |
1967 | | PASS; |
1968 | | } |
1969 | | |
1970 | | #endif |
1971 | | |
1972 | | void SCSigRegisterSignatureOrderingTests(void) |
1973 | 0 | { |
1974 | |
|
1975 | | #ifdef UNITTESTS |
1976 | | UtRegisterTest("SCSigOrderingTest01", SCSigOrderingTest01); |
1977 | | UtRegisterTest("SCSigOrderingTest02", SCSigOrderingTest02); |
1978 | | UtRegisterTest("SCSigOrderingTest03", SCSigOrderingTest03); |
1979 | | UtRegisterTest("SCSigOrderingTest04", SCSigOrderingTest04); |
1980 | | UtRegisterTest("SCSigOrderingTest05", SCSigOrderingTest05); |
1981 | | UtRegisterTest("SCSigOrderingTest06", SCSigOrderingTest06); |
1982 | | UtRegisterTest("SCSigOrderingTest07", SCSigOrderingTest07); |
1983 | | UtRegisterTest("SCSigOrderingTest08", SCSigOrderingTest08); |
1984 | | UtRegisterTest("SCSigOrderingTest09", SCSigOrderingTest09); |
1985 | | UtRegisterTest("SCSigOrderingTest10", SCSigOrderingTest10); |
1986 | | UtRegisterTest("SCSigOrderingTest11", SCSigOrderingTest11); |
1987 | | UtRegisterTest("SCSigOrderingTest12", SCSigOrderingTest12); |
1988 | | UtRegisterTest("SCSigOrderingTest13", SCSigOrderingTest13); |
1989 | | #endif |
1990 | 0 | } |