Coverage Report

Created: 2026-05-16 07:38

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/suricata7/src/detect-engine-sigorder.c
Line
Count
Source
1
/* Copyright (C) 2007-2013 Open Information Security Foundation
2
 *
3
 * You can copy, redistribute or modify this Program under the terms of
4
 * the GNU General Public License version 2 as published by the Free
5
 * Software Foundation.
6
 *
7
 * This program is distributed in the hope that it will be useful,
8
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
10
 * GNU General Public License for more details.
11
 *
12
 * You should have received a copy of the GNU General Public License
13
 * version 2 along with this program; if not, write to the Free Software
14
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15
 * 02110-1301, USA.
16
 */
17
18
/**
19
 * \file
20
 *
21
 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22
 *
23
 * Signature ordering part of the detection engine.
24
 */
25
26
#include "suricata-common.h"
27
#include "detect.h"
28
#include "detect-xbits.h"
29
#include "detect-flowbits.h"
30
#include "detect-flowint.h"
31
#include "detect-parse.h"
32
#include "detect-engine-sigorder.h"
33
#include "detect-pcre.h"
34
#include "detect-engine-build.h"
35
36
#include "util-unittest.h"
37
#include "util-unittest-helper.h"
38
#include "util-debug.h"
39
#include "util-action.h"
40
#include "action-globals.h"
41
#include "flow-util.h"
42
#include "util-validate.h"
43
44
209k
#define DETECT_FLOWVAR_NOT_USED      1
45
278
#define DETECT_FLOWVAR_TYPE_READ     2
46
0
#define DETECT_FLOWVAR_TYPE_SET_READ 3
47
238
#define DETECT_FLOWVAR_TYPE_SET      4
48
49
209k
#define DETECT_PKTVAR_NOT_USED      1
50
154
#define DETECT_PKTVAR_TYPE_READ     2
51
13
#define DETECT_PKTVAR_TYPE_SET_READ 3
52
250
#define DETECT_PKTVAR_TYPE_SET      4
53
54
209k
#define DETECT_FLOWBITS_NOT_USED      1
55
3.35k
#define DETECT_FLOWBITS_TYPE_READ     2
56
541
#define DETECT_FLOWBITS_TYPE_SET_READ 3
57
3.56k
#define DETECT_FLOWBITS_TYPE_SET      4
58
59
209k
#define DETECT_FLOWINT_NOT_USED      1
60
576
#define DETECT_FLOWINT_TYPE_READ     2
61
8
#define DETECT_FLOWINT_TYPE_SET_READ 3
62
11.0k
#define DETECT_FLOWINT_TYPE_SET      4
63
64
419k
#define DETECT_XBITS_NOT_USED      1
65
144
#define DETECT_XBITS_TYPE_READ     2
66
0
#define DETECT_XBITS_TYPE_SET_READ 3
67
131
#define DETECT_XBITS_TYPE_SET      4
68
69
70
/**
71
 * \brief Registers a keyword-based, signature ordering function
72
 *
73
 * \param de_ctx  Pointer to the detection engine context from which the
74
 *                signatures have to be ordered.
75
 * \param FuncPtr Pointer to the signature ordering function.  The prototype of
76
 *                the signature ordering function should accept a pointer to a
77
 *                SCSigSignatureWrapper as its argument and shouldn't return
78
 *                anything
79
 */
80
static void SCSigRegisterSignatureOrderingFunc(DetectEngineCtx *de_ctx,
81
                                               int (*SWCompare)(SCSigSignatureWrapper *sw1, SCSigSignatureWrapper *sw2))
82
507k
{
83
507k
    SCSigOrderFunc *curr = NULL;
84
507k
    SCSigOrderFunc *prev = NULL;
85
507k
    SCSigOrderFunc *temp = NULL;
86
87
507k
    curr = de_ctx->sc_sig_order_funcs;
88
89
    /* Walk to the end of the list, and leave prev pointing at the
90
       last element. */
91
507k
    prev = curr;
92
2.28M
    while (curr != NULL) {
93
1.77M
        if (curr->SWCompare == SWCompare) {
94
            /* Already specified this compare */
95
0
            return;
96
0
        }
97
1.77M
        prev = curr;
98
1.77M
        curr = curr->next;
99
1.77M
    }
100
101
507k
    if ( (temp = SCMalloc(sizeof(SCSigOrderFunc))) == NULL) {
102
0
        FatalError("Fatal error encountered in SCSigRegisterSignatureOrderingFunc. Exiting...");
103
0
    }
104
507k
    memset(temp, 0, sizeof(SCSigOrderFunc));
105
106
507k
    temp->SWCompare = SWCompare;
107
108
    /* Append the new compare function at the end of the list. */
109
507k
    if (prev == NULL)
110
63.4k
        de_ctx->sc_sig_order_funcs = temp;
111
443k
    else
112
443k
        prev->next = temp;
113
114
507k
    return;
115
507k
}
116
117
/**
118
 * \brief Returns the flowbit type set for this signature.  If more than one
119
 *        flowbit has been set for the same rule, we return the flowbit type of
120
 *        the maximum priority/value, where priority/value is maximum for the
121
 *        ones that set the value and the lowest for ones that read the value.
122
 *        If no flowbit has been set for the rule, we return 0, which indicates
123
 *        the least value amongst flowbit types.
124
 *
125
 * \param sig Pointer to the Signature from which the flowbit value has to be
126
 *            returned.
127
 *
128
 * \retval flowbits The flowbits type for this signature if it is set; if it is
129
 *                  not set, return 0
130
 */
131
static inline int SCSigGetFlowbitsType(Signature *sig)
132
209k
{
133
209k
    DetectFlowbitsData *fb = NULL;
134
209k
    int flowbits_user_type = DETECT_FLOWBITS_NOT_USED;
135
209k
    int read = 0;
136
209k
    int write = 0;
137
209k
    SigMatch *sm = sig->init_data->smlists[DETECT_SM_LIST_MATCH];
138
139
308k
    while (sm != NULL) {
140
98.5k
        if (sm->type == DETECT_FLOWBITS) {
141
5.51k
            fb = (DetectFlowbitsData *)sm->ctx;
142
5.51k
            if (fb->cmd == DETECT_FLOWBITS_CMD_ISNOTSET ||
143
5.51k
                fb->cmd == DETECT_FLOWBITS_CMD_ISSET) {
144
5.51k
                read++;
145
5.51k
            } else {
146
#ifdef DEBUG
147
                BUG_ON(1);
148
#endif
149
0
            }
150
5.51k
        }
151
152
98.5k
        sm = sm->next;
153
98.5k
    }
154
155
209k
    sm = sig->init_data->smlists[DETECT_SM_LIST_POSTMATCH];
156
239k
    while (sm != NULL) {
157
29.7k
        if (sm->type == DETECT_FLOWBITS) {
158
7.85k
            fb = (DetectFlowbitsData *)sm->ctx;
159
7.85k
            if (fb->cmd == DETECT_FLOWBITS_CMD_SET ||
160
1.54k
                fb->cmd == DETECT_FLOWBITS_CMD_UNSET ||
161
7.85k
                fb->cmd == DETECT_FLOWBITS_CMD_TOGGLE) {
162
7.85k
                write++;
163
7.85k
            } else {
164
#ifdef DEBUG
165
                BUG_ON(1);
166
#endif
167
0
            }
168
7.85k
        }
169
170
29.7k
        sm = sm->next;
171
29.7k
    }
172
173
209k
    if (read > 0 && write == 0) {
174
3.35k
        flowbits_user_type = DETECT_FLOWBITS_TYPE_READ;
175
206k
    } else if (read == 0 && write > 0) {
176
3.56k
        flowbits_user_type = DETECT_FLOWBITS_TYPE_SET;
177
202k
    } else if (read > 0 && write > 0) {
178
541
        flowbits_user_type = DETECT_FLOWBITS_TYPE_SET_READ;
179
541
    }
180
181
209k
    SCLogDebug("Sig %s typeval %d", sig->msg, flowbits_user_type);
182
183
209k
    return flowbits_user_type;
184
209k
}
185
186
static inline int SCSigGetFlowintType(Signature *sig)
187
209k
{
188
209k
    DetectFlowintData *fi = NULL;
189
209k
    int flowint_user_type = DETECT_FLOWINT_NOT_USED;
190
209k
    int read = 0;
191
209k
    int write = 0;
192
209k
    SigMatch *sm = sig->init_data->smlists[DETECT_SM_LIST_MATCH];
193
194
308k
    while (sm != NULL) {
195
98.5k
        if (sm->type == DETECT_FLOWINT) {
196
2.75k
            fi = (DetectFlowintData *)sm->ctx;
197
2.75k
            if (fi->modifier == FLOWINT_MODIFIER_LT || fi->modifier == FLOWINT_MODIFIER_LE ||
198
2.29k
                    fi->modifier == FLOWINT_MODIFIER_EQ || fi->modifier == FLOWINT_MODIFIER_NE ||
199
1.42k
                    fi->modifier == FLOWINT_MODIFIER_GE || fi->modifier == FLOWINT_MODIFIER_GT ||
200
1
                    fi->modifier == FLOWINT_MODIFIER_ISNOTSET ||
201
2.75k
                    fi->modifier == FLOWINT_MODIFIER_ISSET) {
202
2.75k
                read++;
203
2.75k
            } else {
204
#ifdef DEBUG
205
                BUG_ON(1);
206
#endif
207
0
            }
208
2.75k
        }
209
210
98.5k
        sm = sm->next;
211
98.5k
    }
212
213
209k
    sm = sig->init_data->smlists[DETECT_SM_LIST_POSTMATCH];
214
239k
    while (sm != NULL) {
215
29.7k
        if (sm->type == DETECT_FLOWINT) {
216
11.2k
            fi = (DetectFlowintData *)sm->ctx;
217
11.2k
            if (fi->modifier == FLOWINT_MODIFIER_SET ||
218
11.2k
                fi->modifier == FLOWINT_MODIFIER_ADD ||
219
11.2k
                fi->modifier == FLOWINT_MODIFIER_SUB) {
220
11.2k
                write++;
221
11.2k
            } else {
222
#ifdef DEBUG
223
                BUG_ON(1);
224
#endif
225
0
            }
226
11.2k
        }
227
228
29.7k
        sm = sm->next;
229
29.7k
    }
230
231
209k
    if (read > 0 && write == 0) {
232
576
        flowint_user_type = DETECT_FLOWINT_TYPE_READ;
233
209k
    } else if (read == 0 && write > 0) {
234
11.0k
        flowint_user_type = DETECT_FLOWINT_TYPE_SET;
235
198k
    } else if (read > 0 && write > 0) {
236
8
        flowint_user_type = DETECT_FLOWINT_TYPE_SET_READ;
237
8
    }
238
239
209k
    SCLogDebug("Sig %s typeval %d", sig->msg, flowint_user_type);
240
241
209k
    return flowint_user_type;
242
209k
}
243
244
/**
245
 * \brief Returns whether the flowvar set for this rule, sets the flowvar or
246
 *        reads the flowvar.  If the rule sets the flowvar the function returns
247
 *        DETECT_FLOWVAR_TYPE_SET(3), if it reads the flowvar the function
248
 *        returns DETECT_FLOWVAR_TYPE_READ(2), and if flowvar is not used in this
249
 *        rule the function returns DETECT_FLOWVAR_NOT_USED(1)
250
 *
251
 * \param sig Pointer to the Signature from which the flowvar type has to be
252
 *            returned.
253
 *
254
 * \retval type DETECT_FLOWVAR_TYPE_SET(3) if the rule sets the flowvar,
255
 *              DETECT_FLOWVAR_TYPE_READ(2) if it reads, and
256
 *              DETECT_FLOWVAR_NOT_USED(1) if flowvar is not used.
257
 */
258
static inline int SCSigGetFlowvarType(Signature *sig)
259
209k
{
260
209k
    DetectPcreData *pd = NULL;
261
209k
    int type = DETECT_FLOWVAR_NOT_USED;
262
209k
    int read = 0;
263
209k
    int write = 0;
264
209k
    SigMatch *sm = sig->init_data->smlists[DETECT_SM_LIST_PMATCH];
265
266
307k
    while (sm != NULL) {
267
97.8k
        pd = (DetectPcreData *)sm->ctx;
268
97.8k
        if (sm->type == DETECT_PCRE) {
269
43.1k
            uint8_t x;
270
43.8k
            for (x = 0; x < pd->idx; x++) {
271
1.34k
                if (pd->captypes[x] == VAR_TYPE_FLOW_VAR) {
272
684
                    write++;
273
684
                    break;
274
684
                }
275
1.34k
            }
276
43.1k
        }
277
278
97.8k
        sm = sm->next;
279
97.8k
    }
280
281
209k
    sm = sig->init_data->smlists[DETECT_SM_LIST_MATCH];
282
209k
    pd = NULL;
283
308k
    while (sm != NULL) {
284
98.5k
        if (sm->type == DETECT_FLOWVAR) {
285
391
            read++;
286
391
        }
287
288
98.5k
        sm = sm->next;
289
98.5k
    }
290
291
209k
    if (read > 0 && write == 0) {
292
278
        type = DETECT_FLOWVAR_TYPE_READ;
293
209k
    } else if (read == 0 && write > 0) {
294
238
        type = DETECT_FLOWVAR_TYPE_SET;
295
209k
    } else if (read > 0 && write > 0) {
296
0
        type = DETECT_FLOWVAR_TYPE_SET_READ;
297
0
    }
298
299
209k
    return type;
300
209k
}
301
302
/**
303
 * \brief Returns whether the pktvar set for this rule, sets the flowvar or
304
 *        reads the pktvar.  If the rule sets the pktvar the function returns
305
 *        DETECT_PKTVAR_TYPE_SET(3), if it reads the pktvar the function
306
 *        returns DETECT_PKTVAR_TYPE_READ(2), and if pktvar is not used in this
307
 *        rule the function returns DETECT_PKTVAR_NOT_USED(1)
308
 *
309
 * \param sig Pointer to the Signature from which the pktvar type has to be
310
 *            returned.
311
 *
312
 * \retval type DETECT_PKTVAR_TYPE_SET(3) if the rule sets the flowvar,
313
 *              DETECT_PKTVAR_TYPE_READ(2) if it reads, and
314
 *              DETECT_PKTVAR_NOT_USED(1) if pktvar is not used.
315
 */
316
static inline int SCSigGetPktvarType(Signature *sig)
317
209k
{
318
209k
    DetectPcreData *pd = NULL;
319
209k
    int type = DETECT_PKTVAR_NOT_USED;
320
209k
    int read = 0;
321
209k
    int write = 0;
322
209k
    SigMatch *sm = sig->init_data->smlists[DETECT_SM_LIST_PMATCH];
323
324
307k
    while (sm != NULL) {
325
97.8k
        pd = (DetectPcreData *)sm->ctx;
326
97.8k
        if (sm->type == DETECT_PCRE) {
327
43.1k
            uint8_t x;
328
44.4k
            for (x = 0; x < pd->idx; x++) {
329
1.78k
                if (pd->captypes[x] == VAR_TYPE_PKT_VAR) {
330
477
                    write++;
331
477
                    break;
332
477
                }
333
1.78k
            }
334
43.1k
        }
335
336
97.8k
        sm = sm->next;
337
97.8k
    }
338
339
209k
    sm = sig->init_data->smlists[DETECT_SM_LIST_MATCH];
340
209k
    pd = NULL;
341
308k
    while (sm != NULL) {
342
98.5k
        if (sm->type == DETECT_PKTVAR) {
343
1.18k
            read++;
344
1.18k
        }
345
346
98.5k
        sm = sm->next;
347
98.5k
    }
348
349
209k
    if (read > 0 && write == 0) {
350
154
        type = DETECT_PKTVAR_TYPE_READ;
351
209k
    } else if (read == 0 && write > 0) {
352
250
        type = DETECT_PKTVAR_TYPE_SET;
353
209k
    } else if (read > 0 && write > 0) {
354
13
        type = DETECT_PKTVAR_TYPE_SET_READ;
355
13
    }
356
357
209k
    return type;
358
209k
}
359
360
/**
361
 * \brief Returns the xbit type set for this signature.  If more than one
362
 *        xbit has been set for the same rule, we return the xbit type of
363
 *        the maximum priority/value, where priority/value is maximum for the
364
 *        ones that set the value and the lowest for ones that read the value.
365
 *        If no xbit has been set for the rule, we return 0, which indicates
366
 *        the least value amongst xbit types.
367
 *
368
 * \param sig Pointer to the Signature from which the xbit value has to be
369
 *            returned.
370
 *
371
 * \retval xbits The xbits type for this signature if it is set; if it is
372
 *                  not set, return 0
373
 */
374
static inline int SCSigGetXbitsType(Signature *sig, enum VarTypes type)
375
419k
{
376
419k
    DetectXbitsData *fb = NULL;
377
419k
    int xbits_user_type = DETECT_XBITS_NOT_USED;
378
419k
    int read = 0;
379
419k
    int write = 0;
380
419k
    SigMatch *sm = sig->init_data->smlists[DETECT_SM_LIST_MATCH];
381
382
616k
    while (sm != NULL) {
383
197k
        if (sm->type == DETECT_XBITS) {
384
608
            fb = (DetectXbitsData *)sm->ctx;
385
608
            if (fb->type == type) {
386
296
                if (fb->cmd == DETECT_XBITS_CMD_ISNOTSET ||
387
296
                        fb->cmd == DETECT_XBITS_CMD_ISSET) {
388
296
                    read++;
389
296
                } else {
390
#ifdef DEBUG
391
                    BUG_ON(1);
392
#endif
393
0
                }
394
296
            }
395
608
        }
396
397
197k
        sm = sm->next;
398
197k
    }
399
400
419k
    sm = sig->init_data->smlists[DETECT_SM_LIST_POSTMATCH];
401
479k
    while (sm != NULL) {
402
59.4k
        if (sm->type == DETECT_HOSTBITS) {
403
594
            fb = (DetectXbitsData *)sm->ctx;
404
594
            if (fb->type == type) {
405
297
                if (fb->cmd == DETECT_XBITS_CMD_SET ||
406
98
                        fb->cmd == DETECT_XBITS_CMD_UNSET ||
407
297
                        fb->cmd == DETECT_XBITS_CMD_TOGGLE) {
408
297
                    write++;
409
297
                } else {
410
#ifdef DEBUG
411
                    BUG_ON(1);
412
#endif
413
0
                }
414
297
            }
415
594
        }
416
417
59.4k
        sm = sm->next;
418
59.4k
    }
419
420
419k
    if (read > 0 && write == 0) {
421
144
        xbits_user_type = DETECT_XBITS_TYPE_READ;
422
419k
    } else if (read == 0 && write > 0) {
423
131
        xbits_user_type = DETECT_XBITS_TYPE_SET;
424
419k
    } else if (read > 0 && write > 0) {
425
0
        xbits_user_type = DETECT_XBITS_TYPE_SET_READ;
426
0
    }
427
428
419k
    SCLogDebug("Sig %s typeval %d", sig->msg, xbits_user_type);
429
430
419k
    return xbits_user_type;
431
419k
}
432
433
/**
434
 * \brief Processes the flowbits data for this signature and caches it for
435
 *        future use.  This is needed to optimize the sig_ordering module.
436
 *
437
 * \param sw The sigwrapper/signature for which the flowbits data has to be
438
 *           cached
439
 */
440
static inline void SCSigProcessUserDataForFlowbits(SCSigSignatureWrapper *sw)
441
209k
{
442
209k
    sw->user[SC_RADIX_USER_DATA_FLOWBITS] = SCSigGetFlowbitsType(sw->sig);
443
209k
}
444
445
/**
446
 * \brief Processes the flowvar data for this signature and caches it for
447
 *        future use.  This is needed to optimize the sig_ordering module.
448
 *
449
 * \param sw The sigwrapper/signature for which the flowvar data has to be
450
 *           cached
451
 */
452
static inline void SCSigProcessUserDataForFlowvar(SCSigSignatureWrapper *sw)
453
209k
{
454
209k
    sw->user[SC_RADIX_USER_DATA_FLOWVAR] = SCSigGetFlowvarType(sw->sig);
455
209k
}
456
457
static inline void SCSigProcessUserDataForFlowint(SCSigSignatureWrapper *sw)
458
209k
{
459
209k
    sw->user[SC_RADIX_USER_DATA_FLOWINT] = SCSigGetFlowintType(sw->sig);
460
209k
}
461
462
/**
463
 * \brief Processes the pktvar data for this signature and caches it for
464
 *        future use.  This is needed to optimize the sig_ordering module.
465
 *
466
 * \param sw The sigwrapper/signature for which the pktvar data has to be
467
 *           cached
468
 */
469
static inline void SCSigProcessUserDataForPktvar(SCSigSignatureWrapper *sw)
470
209k
{
471
209k
    sw->user[SC_RADIX_USER_DATA_PKTVAR] = SCSigGetPktvarType(sw->sig);
472
209k
}
473
474
/**
475
 * \brief Processes the hostbits data for this signature and caches it for
476
 *        future use.  This is needed to optimize the sig_ordering module.
477
 *
478
 * \param sw The sigwrapper/signature for which the hostbits data has to be
479
 *           cached
480
 */
481
static inline void SCSigProcessUserDataForHostbits(SCSigSignatureWrapper *sw)
482
209k
{
483
209k
    sw->user[SC_RADIX_USER_DATA_HOSTBITS] = SCSigGetXbitsType(sw->sig, VAR_TYPE_HOST_BIT);
484
209k
}
485
486
/**
487
 * \brief Processes the hostbits data for this signature and caches it for
488
 *        future use.  This is needed to optimize the sig_ordering module.
489
 *
490
 * \param sw The sigwrapper/signature for which the hostbits data has to be
491
 *           cached
492
 */
493
static inline void SCSigProcessUserDataForIPPairbits(SCSigSignatureWrapper *sw)
494
209k
{
495
209k
    sw->user[SC_RADIX_USER_DATA_IPPAIRBITS] = SCSigGetXbitsType(sw->sig, VAR_TYPE_IPPAIR_BIT);
496
209k
}
497
498
/* Return 1 if sw1 comes before sw2 in the final list. */
499
static int SCSigLessThan(SCSigSignatureWrapper *sw1,
500
                         SCSigSignatureWrapper *sw2,
501
                         SCSigOrderFunc *cmp_func_list)
502
611k
{
503
611k
    SCSigOrderFunc *funcs = cmp_func_list;
504
505
4.91M
    while (funcs != NULL) {
506
4.39M
        int delta = funcs->SWCompare(sw1, sw2);
507
4.39M
        if (delta > 0)
508
50.6k
            return 1;
509
4.34M
        else if (delta < 0)
510
33.4k
            return 0;
511
512
4.30M
        funcs = funcs->next;
513
4.30M
    }
514
    // They are equal, so use sid as the final decider.
515
526k
    return sw1->sig->id < sw2->sig->id;
516
611k
}
517
518
/* Merge sort based on a list of compare functions
519
 * debug asserts are here to guide scan-build */
520
static SCSigSignatureWrapper *SCSigOrder(SCSigSignatureWrapper *sw,
521
                                         SCSigOrderFunc *cmp_func_list)
522
367k
{
523
367k
    DEBUG_VALIDATE_BUG_ON(sw == NULL);
524
525
367k
    SCSigSignatureWrapper *subA = NULL;
526
367k
    SCSigSignatureWrapper *subB = NULL;
527
367k
    SCSigSignatureWrapper *first;
528
367k
    SCSigSignatureWrapper *second;
529
367k
    SCSigSignatureWrapper *result = NULL;
530
367k
    SCSigSignatureWrapper *last = NULL;
531
367k
    SCSigSignatureWrapper *new = NULL;
532
533
    /* Divide input list into two sub-lists. */
534
739k
    while (sw != NULL) {
535
631k
        first = sw;
536
631k
        sw = sw->next;
537
        /* Push the first element onto sub-list A */
538
631k
        first->next = subA;
539
631k
        subA = first;
540
541
631k
        if (sw == NULL)
542
259k
            break;
543
371k
        second = sw;
544
371k
        sw = sw->next;
545
        /* Push the second element onto sub-list B */
546
371k
        second->next = subB;
547
371k
        subB = second;
548
371k
    }
549
367k
    if (subB == NULL) {
550
        /* Only zero or one element on the list. */
551
209k
        return subA;
552
209k
    }
553
157k
    DEBUG_VALIDATE_BUG_ON(subA == NULL);
554
555
    /* Now sort each list */
556
157k
    subA = SCSigOrder(subA, cmp_func_list);
557
157k
    subB = SCSigOrder(subB, cmp_func_list);
558
157k
    DEBUG_VALIDATE_BUG_ON(subA == NULL);
559
157k
    DEBUG_VALIDATE_BUG_ON(subB == NULL);
560
561
    /* Merge the two sorted lists. */
562
768k
    while (subA != NULL && subB != NULL) {
563
611k
        if (SCSigLessThan(subA, subB, cmp_func_list)) {
564
315k
            new = subA;
565
315k
            subA = subA->next;
566
315k
        } else {
567
295k
            new = subB;
568
295k
            subB = subB->next;
569
295k
        }
570
        /* Push onto the end of the output list. */
571
611k
        new->next = NULL;
572
611k
        if (result == NULL) {
573
157k
            result = new;
574
157k
            last = new;
575
453k
        } else {
576
453k
            last->next = new;
577
453k
            last = new;
578
453k
        }
579
611k
    }
580
    /* Attach the rest of any remaining list. Only one can be non-NULL here. */
581
157k
    if (subA == NULL)
582
69.3k
        last->next = subB;
583
88.4k
    else if (subB == NULL)
584
88.4k
        last->next = subA;
585
586
157k
    return result;
587
157k
}
588
589
/**
590
 * \brief Orders an incoming Signature based on its action
591
 *
592
 * \param de_ctx Pointer to the detection engine context from which the
593
 *               signatures have to be ordered.
594
 * \param sw     The new signature that has to be ordered based on its action
595
 */
596
static int SCSigOrderByActionCompare(SCSigSignatureWrapper *sw1,
597
                                     SCSigSignatureWrapper *sw2)
598
611k
{
599
611k
    return ActionOrderVal(sw2->sig->action) - ActionOrderVal(sw1->sig->action);
600
611k
}
601
602
/**
603
 * \brief Orders an incoming Signature based on its flowbits type
604
 *
605
 * \param de_ctx Pointer to the detection engine context from which the
606
 *               signatures have to be ordered.
607
 * \param sw     The new signature that has to be ordered based on its flowbits
608
 */
609
static int SCSigOrderByFlowbitsCompare(SCSigSignatureWrapper *sw1,
610
                                       SCSigSignatureWrapper *sw2)
611
578k
{
612
578k
    return sw1->user[SC_RADIX_USER_DATA_FLOWBITS] -
613
578k
        sw2->user[SC_RADIX_USER_DATA_FLOWBITS];
614
578k
}
615
616
/**
617
 * \brief Orders an incoming Signature based on its flowvar type
618
 *
619
 * \param de_ctx Pointer to the detection engine context from which the
620
 *               signatures have to be ordered.
621
 * \param sw     The new signature that has to be ordered based on its flowvar
622
 */
623
static int SCSigOrderByFlowvarCompare(SCSigSignatureWrapper *sw1,
624
                                      SCSigSignatureWrapper *sw2)
625
528k
{
626
528k
    return sw1->user[SC_RADIX_USER_DATA_FLOWVAR] -
627
528k
        sw2->user[SC_RADIX_USER_DATA_FLOWVAR];
628
528k
}
629
630
/**
631
 * \brief Orders an incoming Signature based on its pktvar type
632
 *
633
 * \param de_ctx Pointer to the detection engine context from which the
634
 *               signatures have to be ordered.
635
 * \param sw     The new signature that has to be ordered based on its pktvar
636
 */
637
static int SCSigOrderByPktvarCompare(SCSigSignatureWrapper *sw1,
638
                                     SCSigSignatureWrapper *sw2)
639
527k
{
640
527k
    return sw1->user[SC_RADIX_USER_DATA_PKTVAR] -
641
527k
        sw2->user[SC_RADIX_USER_DATA_PKTVAR];
642
527k
}
643
644
static int SCSigOrderByFlowintCompare(SCSigSignatureWrapper *sw1,
645
                                      SCSigSignatureWrapper *sw2)
646
562k
{
647
562k
    return sw1->user[SC_RADIX_USER_DATA_FLOWINT] -
648
562k
        sw2->user[SC_RADIX_USER_DATA_FLOWINT];
649
562k
}
650
651
/**
652
 * \brief Orders an incoming Signature based on its hostbits type
653
 *
654
 * \param de_ctx Pointer to the detection engine context from which the
655
 *               signatures have to be ordered.
656
 * \param sw     The new signature that has to be ordered based on its hostbits
657
 */
658
static int SCSigOrderByHostbitsCompare(SCSigSignatureWrapper *sw1,
659
                                       SCSigSignatureWrapper *sw2)
660
527k
{
661
527k
    return sw1->user[SC_RADIX_USER_DATA_HOSTBITS] -
662
527k
        sw2->user[SC_RADIX_USER_DATA_HOSTBITS];
663
527k
}
664
665
/**
666
 * \brief Orders an incoming Signature based on its ippairbits (xbits) type
667
 *
668
 * \param de_ctx Pointer to the detection engine context from which the
669
 *               signatures have to be ordered.
670
 * \param sw     The new signature that has to be ordered based on its bits
671
 */
672
static int SCSigOrderByIPPairbitsCompare(SCSigSignatureWrapper *sw1,
673
                                         SCSigSignatureWrapper *sw2)
674
527k
{
675
527k
    return sw1->user[SC_RADIX_USER_DATA_IPPAIRBITS] -
676
527k
        sw2->user[SC_RADIX_USER_DATA_IPPAIRBITS];
677
527k
}
678
679
/**
680
 * \brief Orders an incoming Signature based on its priority type
681
 *
682
 * \param de_ctx Pointer to the detection engine context from which the
683
 *               signatures have to be ordered.
684
 * \param sw     The new signature that has to be ordered based on its priority
685
 */
686
static int SCSigOrderByPriorityCompare(SCSigSignatureWrapper *sw1,
687
                                       SCSigSignatureWrapper *sw2)
688
527k
{
689
527k
    if (sw1->sig->prio > sw2->sig->prio) {
690
153
        return -1;
691
527k
    } else if (sw1->sig->prio < sw2->sig->prio) {
692
225
        return 1;
693
225
    }
694
526k
    return 0;
695
527k
}
696
697
/**
698
 * \brief Creates a Wrapper around the Signature
699
 *
700
 * \param Pointer to the Signature to be wrapped
701
 *
702
 * \retval sw Pointer to the wrapper that holds the signature
703
 */
704
static inline SCSigSignatureWrapper *SCSigAllocSignatureWrapper(Signature *sig)
705
209k
{
706
209k
    SCSigSignatureWrapper *sw = NULL;
707
708
209k
    if ( (sw = SCMalloc(sizeof(SCSigSignatureWrapper))) == NULL)
709
0
        return NULL;
710
209k
    memset(sw, 0, sizeof(SCSigSignatureWrapper));
711
712
209k
    sw->sig = sig;
713
714
    /* Process data from the signature into a cache for further use by the
715
     * sig_ordering module */
716
209k
    SCSigProcessUserDataForFlowbits(sw);
717
209k
    SCSigProcessUserDataForFlowvar(sw);
718
209k
    SCSigProcessUserDataForFlowint(sw);
719
209k
    SCSigProcessUserDataForPktvar(sw);
720
209k
    SCSigProcessUserDataForHostbits(sw);
721
209k
    SCSigProcessUserDataForIPPairbits(sw);
722
723
209k
    return sw;
724
209k
}
725
726
/**
727
 * \brief Orders the signatures
728
 *
729
 * \param de_ctx Pointer to the Detection Engine Context that holds the
730
 *               signatures to be ordered
731
 */
732
void SCSigOrderSignatures(DetectEngineCtx *de_ctx)
733
63.4k
{
734
63.4k
    if (de_ctx->sig_list == NULL) {
735
38.6k
        SCLogDebug("no signatures to order");
736
38.6k
        return;
737
38.6k
    }
738
739
24.7k
    Signature *sig = NULL;
740
24.7k
    SCSigSignatureWrapper *sigw = NULL;
741
24.7k
    SCSigSignatureWrapper *sigw_list = NULL;
742
#ifdef DEBUG
743
    int i = 0;
744
#endif
745
24.7k
    SCLogDebug("ordering signatures in memory");
746
747
24.7k
    sig = de_ctx->sig_list;
748
146k
    while (sig != NULL) {
749
121k
        sigw = SCSigAllocSignatureWrapper(sig);
750
        /* Push signature wrapper onto a list, order doesn't matter here. */
751
121k
        sigw->next = sigw_list;
752
121k
        sigw_list = sigw;
753
754
121k
        sig = sig->next;
755
#ifdef DEBUG
756
        i++;
757
#endif
758
121k
    }
759
760
    /* Sort the list */
761
24.7k
    sigw_list = SCSigOrder(sigw_list, de_ctx->sc_sig_order_funcs);
762
763
24.7k
    SCLogDebug("Total Signatures to be processed by the"
764
24.7k
           "sigordering module: %d", i);
765
766
    /* Recreate the sig list in order */
767
24.7k
    de_ctx->sig_list = NULL;
768
24.7k
    sigw = sigw_list;
769
#ifdef DEBUG
770
    i = 0;
771
#endif
772
146k
    while (sigw != NULL) {
773
#ifdef DEBUG
774
        i++;
775
#endif
776
121k
        sigw->sig->next = NULL;
777
121k
        if (de_ctx->sig_list == NULL) {
778
            /* First entry on the list */
779
24.7k
            de_ctx->sig_list = sigw->sig;
780
24.7k
            sig = de_ctx->sig_list;
781
97.1k
        } else {
782
97.1k
            sig->next = sigw->sig;
783
97.1k
            sig = sig->next;
784
97.1k
        }
785
121k
        SCSigSignatureWrapper *sigw_to_free = sigw;
786
121k
        sigw = sigw->next;
787
121k
        SCFree(sigw_to_free);
788
121k
    }
789
790
24.7k
    SCLogDebug("total signatures reordered by the sigordering module: %d", i);
791
24.7k
}
792
793
/**
794
 * \brief Lets you register the Signature ordering functions.  The order in
795
 *        which the functions are registered shows the priority.  The first
796
 *        function registered provides more priority than the function
797
 *        registered after it.  To add a new registration function, register
798
 *        it by listing it in the correct position in the below sequence,
799
 *        based on the priority you would want to offer to that keyword.
800
 *
801
 * \param de_ctx Pointer to the detection engine context from which the
802
 *               signatures have to be ordered.
803
 */
804
void SCSigRegisterSignatureOrderingFuncs(DetectEngineCtx *de_ctx)
805
122k
{
806
122k
    SCLogDebug("registering signature ordering functions");
807
808
122k
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
809
122k
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
810
122k
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowintCompare);
811
122k
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
812
122k
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
813
122k
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByHostbitsCompare);
814
122k
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByIPPairbitsCompare);
815
122k
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
816
122k
}
817
818
/**
819
 * \brief De-registers all the signature ordering functions registered
820
 *
821
 * \param de_ctx Pointer to the detection engine context from which the
822
 *               signatures were ordered.
823
 */
824
void SCSigSignatureOrderingModuleCleanup(DetectEngineCtx *de_ctx)
825
245k
{
826
245k
    SCSigOrderFunc *funcs;
827
245k
    void *temp;
828
829
    /* clean the memory alloted to the signature ordering funcs */
830
245k
    funcs = de_ctx->sc_sig_order_funcs;
831
1.22M
    while (funcs != NULL) {
832
981k
        temp = funcs;
833
981k
        funcs = funcs->next;
834
981k
        SCFree(temp);
835
981k
    }
836
245k
    de_ctx->sc_sig_order_funcs = NULL;
837
245k
}
838
839
/**********Unittests**********/
840
841
DetectEngineCtx *DetectEngineCtxInit(void);
842
Signature *DetectEngineAppendSig(DetectEngineCtx *, const char *);
843
void SigFree(DetectEngineCtx *, Signature *);
844
void DetectEngineCtxFree(DetectEngineCtx *);
845
846
#ifdef UNITTESTS
847
848
static int SCSigOrderingTest01(void)
849
{
850
    SCSigOrderFunc *temp = NULL;
851
    int i = 0;
852
853
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
854
    FAIL_IF_NULL(de_ctx);
855
856
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
857
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
858
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
859
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
860
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
861
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
862
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
863
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
864
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
865
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
866
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
867
868
    temp = de_ctx->sc_sig_order_funcs;
869
    while (temp != NULL) {
870
        i++;
871
        temp = temp->next;
872
    }
873
874
    DetectEngineCtxFree(de_ctx);
875
876
    FAIL_IF_NOT(i == 5);
877
878
    PASS;
879
}
880
881
static int SCSigOrderingTest02(void)
882
{
883
    Signature *sig = NULL;
884
885
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
886
    FAIL_IF(de_ctx == NULL);
887
888
    sig = DetectEngineAppendSig(de_ctx,
889
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
890
    FAIL_IF_NULL(sig);
891
892
    sig = DetectEngineAppendSig(de_ctx,
893
            "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:2;)");
894
    FAIL_IF_NULL(sig);
895
896
    sig = DetectEngineAppendSig(de_ctx,
897
            "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:3;)");
898
    FAIL_IF_NULL(sig);
899
900
    sig = DetectEngineAppendSig(de_ctx,
901
            "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; flowvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:4;)");
902
    FAIL_IF_NULL(sig);
903
904
    sig = DetectEngineAppendSig(de_ctx,
905
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:5;)");
906
    FAIL_IF_NULL(sig);
907
908
    sig = DetectEngineAppendSig(de_ctx,
909
            "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:6;)");
910
    FAIL_IF_NULL(sig);
911
912
    sig = DetectEngineAppendSig(de_ctx,
913
            "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:7;)");
914
    FAIL_IF_NULL(sig);
915
916
    sig = DetectEngineAppendSig(de_ctx,
917
            "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
918
    FAIL_IF_NULL(sig);
919
920
    sig = DetectEngineAppendSig(de_ctx,
921
            "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; flowbits:set,TEST.one; flowbits:noalert; sid:9;)");
922
    FAIL_IF_NULL(sig);
923
924
    sig = DetectEngineAppendSig(de_ctx,
925
            "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)");
926
    FAIL_IF_NULL(sig);
927
928
    sig = DetectEngineAppendSig(de_ctx,
929
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)");
930
    FAIL_IF_NULL(sig);
931
932
    sig = DetectEngineAppendSig(de_ctx,
933
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)");
934
    FAIL_IF_NULL(sig);
935
936
    sig = DetectEngineAppendSig(de_ctx,
937
            "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; pktvar:http_host,\"www.oisf.net\"; priority:2; flowbits:isnotset,TEST.two; sid:13;)");
938
    FAIL_IF_NULL(sig);
939
940
    sig = DetectEngineAppendSig(de_ctx,
941
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; flowbits:set,TEST.two; sid:14;)");
942
    FAIL_IF_NULL(sig);
943
944
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
945
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
946
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
947
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
948
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
949
    SCSigOrderSignatures(de_ctx);
950
951
    sig = de_ctx->sig_list;
952
953
#ifdef DEBUG
954
    while (sig != NULL) {
955
        printf("sid: %d\n", sig->id);
956
        sig = sig->next;
957
    }
958
#endif
959
960
    sig = de_ctx->sig_list;
961
962
    /* pass */
963
    FAIL_IF_NOT(sig->id == 6);
964
    sig = sig->next;
965
    FAIL_IF_NOT(sig->id == 4);
966
    sig = sig->next;
967
    FAIL_IF_NOT(sig->id == 8);
968
    sig = sig->next;
969
    FAIL_IF_NOT(sig->id == 7);
970
    sig = sig->next;
971
    FAIL_IF_NOT(sig->id == 10);
972
    sig = sig->next;
973
974
    /* drops */
975
    FAIL_IF_NOT(sig->id == 9);
976
    sig = sig->next;
977
    FAIL_IF_NOT(sig->id == 13);
978
    sig = sig->next;
979
    FAIL_IF_NOT(sig->id == 2);
980
    sig = sig->next;
981
    FAIL_IF_NOT(sig->id == 3);
982
    sig = sig->next;
983
984
    /* alerts */
985
    FAIL_IF_NOT(sig->id == 14);
986
    sig = sig->next;
987
    FAIL_IF_NOT(sig->id == 5);
988
    sig = sig->next;
989
    FAIL_IF_NOT(sig->id == 1);
990
    sig = sig->next;
991
    FAIL_IF_NOT(sig->id == 11);
992
    sig = sig->next;
993
    FAIL_IF_NOT(sig->id == 12);
994
    sig = sig->next;
995
996
    DetectEngineCtxFree(de_ctx);
997
    PASS;
998
}
999
1000
static int SCSigOrderingTest03(void)
1001
{
1002
    Signature *sig = NULL;
1003
1004
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1005
    FAIL_IF_NULL(de_ctx);
1006
1007
    sig = DetectEngineAppendSig(de_ctx,
1008
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1009
            "offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:1;)");
1010
    FAIL_IF_NULL(sig);
1011
1012
    sig = DetectEngineAppendSig(de_ctx,
1013
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1014
            "offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:2;)");
1015
    FAIL_IF_NULL(sig);
1016
1017
    sig = DetectEngineAppendSig(de_ctx,
1018
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1019
            "offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; "
1020
            "flowbits:unset,TEST.one; rev:4; priority:2; sid:3;)");
1021
    FAIL_IF_NULL(sig);
1022
1023
    sig = DetectEngineAppendSig(de_ctx,
1024
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1025
            "offset:0; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1026
            "flowbits:isset,TEST.one; rev:4; priority:1; sid:4;)");
1027
    FAIL_IF_NULL(sig);
1028
1029
    sig = DetectEngineAppendSig(de_ctx,
1030
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1031
            "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; priority:2; sid:5;)");
1032
    FAIL_IF_NULL(sig);
1033
1034
    sig = DetectEngineAppendSig(de_ctx,
1035
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1036
            "content:\"220\"; offset:10; flowbits:isnotset,TEST.one; pcre:\"/^User-Agent: "
1037
            "(?P<flow_http_host>.*)\\r\\n/m\"; rev:4; sid:6;)");
1038
    FAIL_IF_NULL(sig);
1039
1040
    sig = DetectEngineAppendSig(de_ctx,
1041
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1042
            "content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; "
1043
            "flowbits:unset,TEST.one; rev:4; priority:3; sid:7;)");
1044
    FAIL_IF_NULL(sig);
1045
1046
    sig = DetectEngineAppendSig(de_ctx,
1047
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1048
            "offset:10; depth:4; pcre:\"/220[- ]/\"; flowbits:toggle,TEST.one; rev:4; priority:1; "
1049
            "pktvar:http_host,\"www.oisf.net\"; sid:8;)");
1050
    FAIL_IF_NULL(sig);
1051
1052
    sig = DetectEngineAppendSig(de_ctx,
1053
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1054
            "content:\"220\"; offset:10; depth:4; rev:4; flowbits:set,TEST.one; "
1055
            "flowbits:noalert; pktvar:http_host,\"www.oisf.net\"; sid:9;)");
1056
    FAIL_IF_NULL(sig);
1057
1058
    sig = DetectEngineAppendSig(de_ctx,
1059
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1060
            "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)");
1061
    FAIL_IF_NULL(sig);
1062
1063
    sig = DetectEngineAppendSig(de_ctx,
1064
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1065
            "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)");
1066
    FAIL_IF_NULL(sig);
1067
1068
    sig = DetectEngineAppendSig(de_ctx,
1069
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1070
            "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)");
1071
    FAIL_IF_NULL(sig);
1072
1073
    sig = DetectEngineAppendSig(de_ctx,
1074
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1075
            "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:isnotset,TEST.one; sid:13;)");
1076
    FAIL_IF_NULL(sig);
1077
1078
    sig = DetectEngineAppendSig(de_ctx,
1079
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1080
            "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:set,TEST.one; sid:14;)");
1081
    FAIL_IF_NULL(sig);
1082
1083
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1084
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1085
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1086
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1087
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1088
    SCSigOrderSignatures(de_ctx);
1089
1090
    sig = de_ctx->sig_list;
1091
1092
#ifdef DEBUG
1093
    while (sig != NULL) {
1094
        printf("sid: %d\n", sig->id);
1095
        sig = sig->next;
1096
    }
1097
#endif
1098
1099
    sig = de_ctx->sig_list;
1100
1101
    FAIL_IF_NOT(sig->id == 3);
1102
    sig = sig->next;
1103
1104
    FAIL_IF_NOT(sig->id == 8);
1105
    sig = sig->next;
1106
    FAIL_IF_NOT(sig->id == 9);
1107
    sig = sig->next;
1108
    FAIL_IF_NOT(sig->id == 7);
1109
    sig = sig->next;
1110
    FAIL_IF_NOT(sig->id == 14);
1111
    sig = sig->next;
1112
    FAIL_IF_NOT(sig->id == 6);
1113
    sig = sig->next;
1114
    FAIL_IF_NOT(sig->id == 4);
1115
    sig = sig->next;
1116
    FAIL_IF_NOT(sig->id == 13);
1117
    sig = sig->next;
1118
    FAIL_IF_NOT(sig->id == 2);
1119
    sig = sig->next;
1120
    FAIL_IF_NOT(sig->id == 5);
1121
    sig = sig->next;
1122
    FAIL_IF_NOT(sig->id == 1);
1123
    sig = sig->next;
1124
    FAIL_IF_NOT(sig->id == 10);
1125
    sig = sig->next;
1126
    FAIL_IF_NOT(sig->id == 11);
1127
    sig = sig->next;
1128
    FAIL_IF_NOT(sig->id == 12);
1129
1130
    sig = sig->next;
1131
1132
    DetectEngineCtxFree(de_ctx);
1133
1134
    PASS;
1135
}
1136
1137
static int SCSigOrderingTest04(void)
1138
{
1139
1140
    Signature *sig = NULL;
1141
1142
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1143
    FAIL_IF(de_ctx == NULL);
1144
1145
    sig = DetectEngineAppendSig(de_ctx,
1146
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1147
            "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1148
    FAIL_IF_NULL(sig);
1149
1150
    sig = DetectEngineAppendSig(de_ctx,
1151
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1152
            "pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; "
1153
            "offset:10; rev:4; priority:3; sid:2;)");
1154
    FAIL_IF_NULL(sig);
1155
1156
    sig = DetectEngineAppendSig(de_ctx,
1157
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1158
            "content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: "
1159
            "(?P<flow_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)");
1160
    FAIL_IF_NULL(sig);
1161
1162
    sig = DetectEngineAppendSig(de_ctx,
1163
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1164
            "offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; rev:4; "
1165
            "priority:3; flowvar:http_host,\"www.oisf.net\"; sid:4;)");
1166
    FAIL_IF_NULL(sig);
1167
1168
    sig = DetectEngineAppendSig(de_ctx,
1169
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1170
            "offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1171
            "pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)");
1172
    FAIL_IF_NULL(sig);
1173
1174
    sig = DetectEngineAppendSig(de_ctx,
1175
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1176
            "offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1177
            "pktvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:6;)");
1178
    FAIL_IF_NULL(sig);
1179
1180
    sig = DetectEngineAppendSig(de_ctx,
1181
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1182
            "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; flowvar:http_host,\"www.oisf.net\"; "
1183
            "pktvar:http_host,\"www.oisf.net\"; priority:1; sid:7;)");
1184
    FAIL_IF_NULL(sig);
1185
1186
    sig = DetectEngineAppendSig(de_ctx,
1187
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1188
            "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1189
            "flowvar:http_host,\"www.oisf.net\"; sid:8;)");
1190
    FAIL_IF_NULL(sig);
1191
1192
    sig = DetectEngineAppendSig(de_ctx,
1193
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1194
            "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1195
            "flowvar:http_host,\"www.oisf.net\"; sid:9;)");
1196
    FAIL_IF_NULL(sig);
1197
1198
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1199
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1200
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1201
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1202
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1203
    SCSigOrderSignatures(de_ctx);
1204
1205
    sig = de_ctx->sig_list;
1206
1207
#ifdef DEBUG
1208
    while (sig != NULL) {
1209
        printf("sid: %d\n", sig->id);
1210
        sig = sig->next;
1211
    }
1212
#endif
1213
1214
    sig = de_ctx->sig_list;
1215
1216
    /* flowvar set */
1217
    sig = sig->next;
1218
    FAIL_IF_NOT(sig->id == 3);
1219
    sig = sig->next;
1220
    FAIL_IF_NOT(sig->id == 4);
1221
    sig = sig->next;
1222
    FAIL_IF_NOT(sig->id == 7);
1223
    sig = sig->next;
1224
    FAIL_IF_NOT(sig->id == 8);
1225
    sig = sig->next;
1226
    FAIL_IF_NOT(sig->id == 9);
1227
    sig = sig->next;
1228
1229
    /* pktvar */
1230
1231
    FAIL_IF_NOT(sig->id == 5);
1232
    sig = sig->next;
1233
    FAIL_IF_NOT(sig->id == 6);
1234
    sig = sig->next;
1235
1236
    FAIL_IF_NOT(sig->id == 1);
1237
    sig = sig->next;
1238
1239
    DetectEngineCtxFree(de_ctx);
1240
1241
    PASS;
1242
}
1243
1244
static int SCSigOrderingTest05(void)
1245
{
1246
    Signature *sig = NULL;
1247
1248
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1249
    FAIL_IF(de_ctx == NULL);
1250
1251
    sig = DetectEngineAppendSig(de_ctx,
1252
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1253
            "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1254
    FAIL_IF_NULL(sig);
1255
1256
    sig = DetectEngineAppendSig(de_ctx,
1257
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1258
            "pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; content:\"220\"; "
1259
            "offset:10; rev:4; priority:3; sid:2;)");
1260
    FAIL_IF_NULL(sig);
1261
1262
    sig = DetectEngineAppendSig(de_ctx,
1263
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1264
            "content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: "
1265
            "(?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)");
1266
    FAIL_IF_NULL(sig);
1267
1268
    sig = DetectEngineAppendSig(de_ctx,
1269
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1270
            "offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; "
1271
            "priority:3; pktvar:http_host,\"www.oisf.net\"; sid:4;)");
1272
    FAIL_IF_NULL(sig);
1273
1274
    sig = DetectEngineAppendSig(de_ctx,
1275
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1276
            "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)");
1277
    FAIL_IF_NULL(sig);
1278
1279
    sig = DetectEngineAppendSig(de_ctx,
1280
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1281
            "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:6;)");
1282
    FAIL_IF_NULL(sig);
1283
1284
    sig = DetectEngineAppendSig(de_ctx,
1285
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1286
            "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1287
            "pktvar:http_host,\"www.oisf.net\"; sid:7;)");
1288
    FAIL_IF_NULL(sig);
1289
1290
    sig = DetectEngineAppendSig(de_ctx,
1291
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1292
            "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; "
1293
            "pktvar:http_host,\"www.oisf.net\"; sid:8;)");
1294
    FAIL_IF_NULL(sig);
1295
1296
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1297
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1298
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1299
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1300
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1301
    SCSigOrderSignatures(de_ctx);
1302
1303
    sig = de_ctx->sig_list;
1304
1305
    //#ifdef DEBUG
1306
    while (sig != NULL) {
1307
        printf("sid: %d\n", sig->id);
1308
        sig = sig->next;
1309
    }
1310
    //#endif
1311
1312
    sig = de_ctx->sig_list;
1313
1314
    /* pktvar set */
1315
    FAIL_IF_NOT(sig->id == 2);
1316
    sig = sig->next;
1317
    FAIL_IF_NOT(sig->id == 3);
1318
    sig = sig->next;
1319
    FAIL_IF_NOT(sig->id == 4);
1320
    sig = sig->next;
1321
    /* pktvar read */
1322
    FAIL_IF_NOT(sig->id == 7);
1323
    sig = sig->next;
1324
    FAIL_IF_NOT(sig->id == 8);
1325
    sig = sig->next;
1326
    FAIL_IF_NOT(sig->id == 1);
1327
    sig = sig->next;
1328
    FAIL_IF_NOT(sig->id == 5);
1329
    sig = sig->next;
1330
    FAIL_IF_NOT(sig->id == 6);
1331
    sig = sig->next;
1332
1333
    DetectEngineCtxFree(de_ctx);
1334
1335
    PASS;
1336
}
1337
1338
static int SCSigOrderingTest06(void)
1339
{
1340
1341
    Signature *sig = NULL;
1342
1343
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1344
    FAIL_IF_NULL(de_ctx);
1345
1346
    sig = DetectEngineAppendSig(de_ctx,
1347
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1348
            "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1349
    FAIL_IF_NULL(sig);
1350
1351
    sig = DetectEngineAppendSig(de_ctx,
1352
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1353
            "content:\"220\"; offset:10; rev:4; priority:2; sid:2;)");
1354
    FAIL_IF_NULL(sig);
1355
1356
    sig = DetectEngineAppendSig(de_ctx,
1357
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1358
            "content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)");
1359
    FAIL_IF_NULL(sig);
1360
1361
    sig = DetectEngineAppendSig(de_ctx,
1362
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1363
            "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1364
    FAIL_IF_NULL(sig);
1365
1366
    sig = DetectEngineAppendSig(de_ctx,
1367
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1368
            "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1369
    FAIL_IF_NULL(sig);
1370
1371
    sig = DetectEngineAppendSig(de_ctx,
1372
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1373
            "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1374
    FAIL_IF_NULL(sig);
1375
    sig = DetectEngineAppendSig(de_ctx,
1376
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1377
            "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1378
    FAIL_IF_NULL(sig);
1379
1380
    sig = DetectEngineAppendSig(de_ctx,
1381
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1382
            "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1383
    FAIL_IF_NULL(sig);
1384
1385
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1386
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1387
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1388
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1389
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1390
    SCSigOrderSignatures(de_ctx);
1391
1392
    sig = de_ctx->sig_list;
1393
1394
#ifdef DEBUG
1395
    while (sig != NULL) {
1396
        printf("sid: %d\n", sig->id);
1397
        sig = sig->next;
1398
    }
1399
#endif
1400
1401
    sig = de_ctx->sig_list;
1402
1403
    FAIL_IF_NOT(sig->id == 6);
1404
    sig = sig->next;
1405
    FAIL_IF_NOT(sig->id == 2);
1406
    sig = sig->next;
1407
    FAIL_IF_NOT(sig->id == 4);
1408
    sig = sig->next;
1409
    FAIL_IF_NOT(sig->id == 5);
1410
    sig = sig->next;
1411
    FAIL_IF_NOT(sig->id == 7);
1412
    sig = sig->next;
1413
    FAIL_IF_NOT(sig->id == 8);
1414
    sig = sig->next;
1415
    FAIL_IF_NOT(sig->id == 1);
1416
    sig = sig->next;
1417
    FAIL_IF_NOT(sig->id == 3);
1418
    sig = sig->next;
1419
1420
    DetectEngineCtxFree(de_ctx);
1421
1422
    PASS;
1423
}
1424
static int SCSigOrderingTest07(void)
1425
{
1426
1427
    Signature *sig = NULL;
1428
1429
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1430
    FAIL_IF(de_ctx == NULL);
1431
1432
    sig = DetectEngineAppendSig(de_ctx,
1433
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1434
            "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)");
1435
    FAIL_IF_NULL(sig);
1436
1437
    sig = DetectEngineAppendSig(de_ctx,
1438
            "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1439
            "content:\"220\"; offset:10; sid:2; rev:4; priority:2;)");
1440
    FAIL_IF_NULL(sig);
1441
1442
    sig = DetectEngineAppendSig(de_ctx,
1443
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1444
            "content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)");
1445
    FAIL_IF_NULL(sig);
1446
1447
    sig = DetectEngineAppendSig(de_ctx,
1448
            "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1449
            "content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)");
1450
    FAIL_IF_NULL(sig);
1451
1452
    sig = DetectEngineAppendSig(de_ctx,
1453
            "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1454
            "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)");
1455
    FAIL_IF_NULL(sig);
1456
1457
    sig = DetectEngineAppendSig(de_ctx,
1458
            "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1459
            "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)");
1460
    FAIL_IF_NULL(sig);
1461
1462
    sig = DetectEngineAppendSig(de_ctx,
1463
            "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1464
            "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4; priority:2;)");
1465
    FAIL_IF_NULL(sig);
1466
1467
    sig = DetectEngineAppendSig(de_ctx,
1468
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1469
            "offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)");
1470
    FAIL_IF_NULL(sig);
1471
1472
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1473
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1474
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1475
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1476
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1477
    SCSigOrderSignatures(de_ctx);
1478
1479
    sig = de_ctx->sig_list;
1480
1481
#ifdef DEBUG
1482
    while (sig != NULL) {
1483
        printf("sid: %d\n", sig->id);
1484
        sig = sig->next;
1485
    }
1486
#endif
1487
1488
    sig = de_ctx->sig_list;
1489
1490
    FAIL_IF_NOT(sig->id == 2);
1491
    sig = sig->next;
1492
    FAIL_IF_NOT(sig->id == 4);
1493
    sig = sig->next;
1494
    FAIL_IF_NOT(sig->id == 5);
1495
    sig = sig->next;
1496
    FAIL_IF_NOT(sig->id == 7);
1497
    sig = sig->next;
1498
    FAIL_IF_NOT(sig->id == 6);
1499
    sig = sig->next;
1500
    FAIL_IF_NOT(sig->id == 8);
1501
    sig = sig->next;
1502
    FAIL_IF_NOT(sig->id == 1);
1503
    sig = sig->next;
1504
    FAIL_IF_NOT(sig->id == 3);
1505
    sig = sig->next;
1506
1507
    DetectEngineCtxFree(de_ctx);
1508
1509
    PASS;
1510
}
1511
1512
/**
1513
 * \test Order with a different Action priority
1514
 * (as specified from config)
1515
 */
1516
static int SCSigOrderingTest08(void)
1517
{
1518
#ifdef HAVE_LIBNET11
1519
1520
    Signature *sig = NULL;
1521
    extern uint8_t action_order_sigs[4];
1522
1523
    /* Let's change the order. Default is pass, drop, reject, alert (pass has highest prio) */
1524
    action_order_sigs[0] = ACTION_REJECT;
1525
    action_order_sigs[1] = ACTION_DROP;
1526
    action_order_sigs[2] = ACTION_ALERT;
1527
    action_order_sigs[3] = ACTION_PASS;
1528
1529
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1530
    FAIL_IF(de_ctx == NULL);
1531
1532
    sig = DetectEngineAppendSig(de_ctx,
1533
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1534
            "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)");
1535
    FAIL_IF_NULL(sig);
1536
1537
    sig = DetectEngineAppendSig(de_ctx,
1538
            "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1539
            "content:\"220\"; offset:10; sid:2; rev:4; priority:2;)");
1540
    FAIL_IF_NULL(sig);
1541
1542
    sig = DetectEngineAppendSig(de_ctx,
1543
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1544
            "content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)");
1545
    FAIL_IF_NULL(sig);
1546
1547
    sig = DetectEngineAppendSig(de_ctx,
1548
            "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1549
            "content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)");
1550
    FAIL_IF_NULL(sig);
1551
1552
    sig = DetectEngineAppendSig(de_ctx,
1553
            "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1554
            "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)");
1555
    FAIL_IF_NULL(sig);
1556
1557
    sig = DetectEngineAppendSig(de_ctx,
1558
            "reject tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1559
            "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)");
1560
    FAIL_IF_NULL(sig);
1561
1562
    sig = DetectEngineAppendSig(de_ctx,
1563
            "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; "
1564
            "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4;)");
1565
    FAIL_IF_NULL(sig);
1566
1567
    sig = DetectEngineAppendSig(de_ctx,
1568
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1569
            "offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)");
1570
    FAIL_IF_NULL(sig);
1571
1572
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1573
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1574
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1575
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1576
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1577
    SCSigOrderSignatures(de_ctx);
1578
1579
    sig = de_ctx->sig_list;
1580
1581
#ifdef DEBUG
1582
    while (sig != NULL) {
1583
        printf("sid: %d\n", sig->id);
1584
        sig = sig->next;
1585
    }
1586
#endif
1587
1588
    sig = de_ctx->sig_list;
1589
1590
    FAIL_IF_NOT(sig->id == 6);
1591
    sig = sig->next;
1592
    FAIL_IF_NOT(sig->id == 8);
1593
    sig = sig->next;
1594
    FAIL_IF_NOT(sig->id == 1);
1595
    sig = sig->next;
1596
    FAIL_IF_NOT(sig->id == 3);
1597
    sig = sig->next;
1598
    FAIL_IF_NOT(sig->id == 2);
1599
    sig = sig->next;
1600
    FAIL_IF_NOT(sig->id == 4);
1601
    sig = sig->next;
1602
    FAIL_IF_NOT(sig->id == 5);
1603
    sig = sig->next;
1604
    FAIL_IF_NOT(sig->id == 7);
1605
    sig = sig->next;
1606
1607
    /* Restore the default pre-order definition */
1608
    action_order_sigs[0] = ACTION_PASS;
1609
    action_order_sigs[1] = ACTION_DROP;
1610
    action_order_sigs[2] = ACTION_REJECT;
1611
    action_order_sigs[3] = ACTION_ALERT;
1612
1613
    DetectEngineCtxFree(de_ctx);
1614
1615
#endif
1616
    PASS;
1617
}
1618
1619
/**
1620
 * \test Order with a different Action priority
1621
 * (as specified from config)
1622
 */
1623
static int SCSigOrderingTest09(void)
1624
{
1625
1626
    Signature *sig = NULL;
1627
    extern uint8_t action_order_sigs[4];
1628
1629
    /* Let's change the order. Default is pass, drop, reject, alert (pass has highest prio) */
1630
    action_order_sigs[0] = ACTION_DROP;
1631
    action_order_sigs[1] = ACTION_REJECT;
1632
    action_order_sigs[2] = ACTION_ALERT;
1633
    action_order_sigs[3] = ACTION_PASS;
1634
1635
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1636
    FAIL_IF(de_ctx == NULL);
1637
1638
    sig = DetectEngineAppendSig(de_ctx,
1639
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1640
            "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1;)");
1641
    FAIL_IF_NULL(sig);
1642
1643
    sig = DetectEngineAppendSig(de_ctx,
1644
            "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1645
            "content:\"220\"; offset:10; priority:2; sid:2;)");
1646
    FAIL_IF_NULL(sig);
1647
1648
    sig = DetectEngineAppendSig(de_ctx,
1649
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1650
            "content:\"220\"; offset:10; depth:4; priority:3; sid:3;)");
1651
    FAIL_IF_NULL(sig);
1652
1653
    sig = DetectEngineAppendSig(de_ctx,
1654
            "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1655
            "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1656
    FAIL_IF_NULL(sig);
1657
1658
    sig = DetectEngineAppendSig(de_ctx,
1659
            "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1660
            "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1661
    FAIL_IF_NULL(sig);
1662
1663
    sig = DetectEngineAppendSig(de_ctx,
1664
            "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1665
            "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1666
    FAIL_IF_NULL(sig);
1667
1668
    sig = DetectEngineAppendSig(de_ctx,
1669
            "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1670
            "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1671
    FAIL_IF_NULL(sig);
1672
1673
    sig = DetectEngineAppendSig(de_ctx,
1674
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1675
            "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1676
    FAIL_IF_NULL(sig);
1677
1678
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1679
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1680
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1681
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1682
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1683
    SCSigOrderSignatures(de_ctx);
1684
1685
    sig = de_ctx->sig_list;
1686
1687
#ifdef DEBUG
1688
    while (sig != NULL) {
1689
        printf("sid: %d\n", sig->id);
1690
        sig = sig->next;
1691
    }
1692
#endif
1693
1694
    sig = de_ctx->sig_list;
1695
1696
    FAIL_IF_NOT(sig->id == 6);
1697
    sig = sig->next;
1698
    FAIL_IF_NOT(sig->id == 7);
1699
    sig = sig->next;
1700
    FAIL_IF_NOT(sig->id == 8);
1701
    sig = sig->next;
1702
    FAIL_IF_NOT(sig->id == 1);
1703
    sig = sig->next;
1704
    FAIL_IF_NOT(sig->id == 3);
1705
    sig = sig->next;
1706
    FAIL_IF_NOT(sig->id == 2);
1707
    sig = sig->next;
1708
    FAIL_IF_NOT(sig->id == 4);
1709
    sig = sig->next;
1710
    FAIL_IF_NOT(sig->id == 5);
1711
    sig = sig->next;
1712
1713
    /* Restore the default pre-order definition */
1714
    action_order_sigs[0] = ACTION_DROP;
1715
    action_order_sigs[1] = ACTION_REJECT;
1716
    action_order_sigs[2] = ACTION_PASS;
1717
    action_order_sigs[3] = ACTION_ALERT;
1718
1719
    DetectEngineCtxFree(de_ctx);
1720
    PASS;
1721
}
1722
1723
/**
1724
 * \test Order with a different Action priority
1725
 * (as specified from config)
1726
 */
1727
static int SCSigOrderingTest10(void)
1728
{
1729
1730
    Signature *sig = NULL;
1731
    extern uint8_t action_order_sigs[4];
1732
1733
    /* Let's change the order. Default is pass, drop, reject, alert (pass has highest prio) */
1734
    action_order_sigs[0] = ACTION_PASS;
1735
    action_order_sigs[1] = ACTION_ALERT;
1736
    action_order_sigs[2] = ACTION_DROP;
1737
    action_order_sigs[3] = ACTION_REJECT;
1738
1739
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1740
    FAIL_IF(de_ctx == NULL);
1741
1742
    sig = DetectEngineAppendSig(de_ctx,
1743
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1744
            "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1745
    FAIL_IF_NULL(sig);
1746
1747
    sig = DetectEngineAppendSig(de_ctx,
1748
            "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1749
            "content:\"220\"; offset:10; rev:4; priority:2; sid:2;)");
1750
    FAIL_IF_NULL(sig);
1751
1752
    sig = DetectEngineAppendSig(de_ctx,
1753
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1754
            "content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)");
1755
    FAIL_IF_NULL(sig);
1756
1757
    sig = DetectEngineAppendSig(de_ctx,
1758
            "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1759
            "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1760
    FAIL_IF_NULL(sig);
1761
1762
    sig = DetectEngineAppendSig(de_ctx,
1763
            "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1764
            "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1765
    FAIL_IF_NULL(sig);
1766
1767
    sig = DetectEngineAppendSig(de_ctx,
1768
            "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1769
            "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1770
    FAIL_IF_NULL(sig);
1771
1772
    sig = DetectEngineAppendSig(de_ctx,
1773
            "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1774
            "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1775
    FAIL_IF_NULL(sig);
1776
1777
    sig = DetectEngineAppendSig(de_ctx,
1778
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1779
            "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1780
    FAIL_IF_NULL(sig);
1781
1782
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1783
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1784
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1785
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1786
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1787
    SCSigOrderSignatures(de_ctx);
1788
1789
    sig = de_ctx->sig_list;
1790
1791
#ifdef DEBUG
1792
    while (sig != NULL) {
1793
        printf("sid: %d\n", sig->id);
1794
        sig = sig->next;
1795
    }
1796
#endif
1797
1798
    sig = de_ctx->sig_list;
1799
1800
    FAIL_IF_NOT(sig->id == 2);
1801
    sig = sig->next;
1802
    FAIL_IF_NOT(sig->id == 4);
1803
    sig = sig->next;
1804
    FAIL_IF_NOT(sig->id == 5);
1805
    sig = sig->next;
1806
    FAIL_IF_NOT(sig->id == 8);
1807
    sig = sig->next;
1808
    FAIL_IF_NOT(sig->id == 1);
1809
    sig = sig->next;
1810
    FAIL_IF_NOT(sig->id == 3);
1811
    sig = sig->next;
1812
    FAIL_IF_NOT(sig->id == 6);
1813
    sig = sig->next;
1814
    FAIL_IF_NOT(sig->id == 7);
1815
    sig = sig->next;
1816
1817
    /* Restore the default pre-order definition */
1818
    action_order_sigs[0] = ACTION_PASS;
1819
    action_order_sigs[1] = ACTION_DROP;
1820
    action_order_sigs[2] = ACTION_REJECT;
1821
    action_order_sigs[3] = ACTION_ALERT;
1822
1823
    DetectEngineCtxFree(de_ctx);
1824
    PASS;
1825
}
1826
1827
static int SCSigOrderingTest11(void)
1828
{
1829
1830
    Signature *sig = NULL;
1831
1832
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1833
    FAIL_IF(de_ctx == NULL);
1834
1835
    sig = DetectEngineAppendSig(de_ctx,
1836
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering set\"; "
1837
            "flowbits:isnotset,myflow1; rev:4; sid:1;)");
1838
    FAIL_IF_NULL(sig);
1839
1840
    sig = DetectEngineAppendSig(de_ctx,
1841
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering toggle\"; "
1842
            "flowbits:toggle,myflow2; rev:4; sid:2;)");
1843
    FAIL_IF_NULL(sig);
1844
1845
    sig = DetectEngineAppendSig(de_ctx,
1846
            "alert tcp any !21:902 -> any any (msg:\"Testing sigordering unset\"; "
1847
            "flowbits:isset, myflow1; flowbits:unset,myflow2; rev:4; priority:3; sid:3;)");
1848
    FAIL_IF_NULL(sig);
1849
1850
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1851
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1852
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1853
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1854
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1855
    SCSigOrderSignatures(de_ctx);
1856
1857
    sig = de_ctx->sig_list;
1858
1859
#ifdef DEBUG
1860
    while (sig != NULL) {
1861
        printf("sid: %d\n", sig->id);
1862
        sig = sig->next;
1863
    }
1864
#endif
1865
1866
    sig = de_ctx->sig_list;
1867
1868
    FAIL_IF_NOT(sig->id == 2);
1869
    sig = sig->next;
1870
    FAIL_IF_NOT(sig->id == 3);
1871
    sig = sig->next;
1872
    FAIL_IF_NOT(sig->id == 1);
1873
    sig = sig->next;
1874
1875
    DetectEngineCtxFree(de_ctx);
1876
    PASS;
1877
}
1878
1879
static int SCSigOrderingTest12(void)
1880
{
1881
    Signature *sig = NULL;
1882
    Packet *p = NULL;
1883
    uint8_t buf[] = "test message";
1884
    Flow f;
1885
1886
    FLOW_INITIALIZE(&f);
1887
    f.flags |= FLOW_IPV4;
1888
    f.alproto = ALPROTO_UNKNOWN;
1889
    f.proto = IPPROTO_TCP;
1890
1891
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1892
    FAIL_IF(de_ctx == NULL);
1893
    de_ctx->flags |= DE_QUIET;
1894
1895
    const char *sigs[2];
1896
    sigs[0] = "alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:isset,one; flowbits:set,two; sid:1;)";
1897
    sigs[1] = "alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:set,one; sid:2;)";
1898
    UTHAppendSigs(de_ctx, sigs, 2);
1899
1900
    sig = de_ctx->sig_list;
1901
    FAIL_IF_NULL(sig);
1902
    FAIL_IF_NULL(sig->next);
1903
    FAIL_IF_NOT_NULL(sig->next->next);
1904
    FAIL_IF(de_ctx->signum != 2);
1905
1906
    FlowInitConfig(FLOW_QUIET);
1907
    p = UTHBuildPacket(buf, sizeof(buf), IPPROTO_TCP);
1908
    FAIL_IF_NULL(p);
1909
1910
    p->flow = &f;
1911
    p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
1912
    p->flowflags |= FLOW_PKT_TOSERVER;
1913
    p->flowflags |= FLOW_PKT_ESTABLISHED;
1914
1915
    UTHMatchPackets(de_ctx, &p, 1);
1916
1917
    uint32_t sids[2] = {1, 2};
1918
    uint32_t results[2] = {1, 1};
1919
    FAIL_IF_NOT(UTHCheckPacketMatchResults(p, sids, results, 2));
1920
1921
    UTHFreePackets(&p, 1);
1922
1923
    DetectEngineCtxFree(de_ctx);
1924
1925
    FlowShutdown();
1926
1927
    PASS;
1928
}
1929
1930
/** \test Bug 1061 */
1931
static int SCSigOrderingTest13(void)
1932
{
1933
1934
    Signature *sig = NULL;
1935
1936
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1937
    FAIL_IF(de_ctx == NULL);
1938
1939
    sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flowbits:isset,bit1; flowbits:set,bit2; flowbits:set,bit3; sid:6;)");
1940
    FAIL_IF_NULL(sig);
1941
    sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flowbits:set,bit1; flowbits:set,bit2; sid:7;)");
1942
    FAIL_IF_NULL(sig);
1943
    sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flowbits:isset,bit1; flowbits:isset,bit2; flowbits:isset,bit3; sid:5;)");
1944
    FAIL_IF_NULL(sig);
1945
1946
    SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1947
    SCSigOrderSignatures(de_ctx);
1948
1949
#ifdef DEBUG
1950
    sig = de_ctx->sig_list;
1951
    while (sig != NULL) {
1952
        printf("sid: %d\n", sig->id);
1953
        sig = sig->next;
1954
    }
1955
#endif
1956
1957
    sig = de_ctx->sig_list;
1958
1959
    FAIL_IF_NOT(sig->id == 7);
1960
    sig = sig->next;
1961
    FAIL_IF_NOT(sig->id == 6);
1962
    sig = sig->next;
1963
    FAIL_IF_NOT(sig->id == 5);
1964
    sig = sig->next;
1965
1966
    DetectEngineCtxFree(de_ctx);
1967
    PASS;
1968
}
1969
1970
#endif
1971
1972
void SCSigRegisterSignatureOrderingTests(void)
1973
0
{
1974
1975
#ifdef UNITTESTS
1976
    UtRegisterTest("SCSigOrderingTest01", SCSigOrderingTest01);
1977
    UtRegisterTest("SCSigOrderingTest02", SCSigOrderingTest02);
1978
    UtRegisterTest("SCSigOrderingTest03", SCSigOrderingTest03);
1979
    UtRegisterTest("SCSigOrderingTest04", SCSigOrderingTest04);
1980
    UtRegisterTest("SCSigOrderingTest05", SCSigOrderingTest05);
1981
    UtRegisterTest("SCSigOrderingTest06", SCSigOrderingTest06);
1982
    UtRegisterTest("SCSigOrderingTest07", SCSigOrderingTest07);
1983
    UtRegisterTest("SCSigOrderingTest08", SCSigOrderingTest08);
1984
    UtRegisterTest("SCSigOrderingTest09", SCSigOrderingTest09);
1985
    UtRegisterTest("SCSigOrderingTest10", SCSigOrderingTest10);
1986
    UtRegisterTest("SCSigOrderingTest11", SCSigOrderingTest11);
1987
    UtRegisterTest("SCSigOrderingTest12", SCSigOrderingTest12);
1988
    UtRegisterTest("SCSigOrderingTest13", SCSigOrderingTest13);
1989
#endif
1990
0
}