自学教程：C++ DetectEngineThreadCtxDeinit函数代码示例

static int DetectBase64DecodeTestDecodeRelative(void){    ThreadVars tv;    DetectEngineCtx *de_ctx = NULL;    DetectEngineThreadCtx *det_ctx = NULL;    Packet *p = NULL;    int retval = 0;    uint8_t payload[] = {        'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',        'S', 'G', 'V', 's', 'b', 'G', '8', 'g',        'V', '2', '9', 'y', 'b', 'G', 'Q', '=',    };    char decoded[] = "Hello World";    memset(&tv, 0, sizeof(tv));    if ((de_ctx = DetectEngineCtxInit()) == NULL) {        goto end;    }    de_ctx->sig_list = SigInit(de_ctx,                               "alert tcp any any -> any any (msg:/"base64 test/"; "                               "content:/"aaaaaaaa/"; "                               "base64_decode: relative; "                               "sid:1; rev:1;)");    if (de_ctx->sig_list == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);    p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);    if (p == NULL) {        goto end;    }    SigMatchSignatures(&tv, de_ctx, det_ctx, p);    if (det_ctx->base64_decoded_len != (int)strlen(decoded)) {        goto end;    }    if (memcmp(det_ctx->base64_decoded, decoded, strlen(decoded))) {        goto end;    }    retval = 1;end:    if (det_ctx != NULL) {        DetectEngineThreadCtxDeinit(&tv, det_ctx);    }    if (de_ctx != NULL) {        SigCleanSignatures(de_ctx);        SigGroupCleanup(de_ctx);        DetectEngineCtxFree(de_ctx);    }    if (p != NULL) {        UTHFreePacket(p);    }    return retval;}

/** * /test DetectDetectionFilterTestSig1 is a test for checking the working of detection_filter keyword *       by setting up the signature and later testing its working by matching *       the received packet against the sig. * *  /retval 1 on succces *  /retval 0 on failure */static int DetectDetectionFilterTestSig1(void) {    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx;    int result = 0;    int alerts = 0;    HostInitConfig(HOST_QUIET);    memset(&th_v, 0, sizeof(th_v));    p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:/"detection_filter Test/"; detection_filter: track by_dst, count 4, seconds 60; sid:1;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts = PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    if(alerts == 4)        result = 1;    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);end:    UTHFreePackets(&p, 1);    HostShutdown();    return result;}

static TmEcode FlowWorkerThreadDeinit(ThreadVars *tv, void *data){    FlowWorkerThreadData *fw = data;    DecodeThreadVarsFree(tv, fw->dtv);    /* free TCP */    StreamTcpThreadDeinit(tv, (void *)fw->stream_thread);    /* free DETECT */    void *detect_thread = SC_ATOMIC_GET(fw->detect_thread);    if (detect_thread != NULL) {        DetectEngineThreadCtxDeinit(tv, detect_thread);        SC_ATOMIC_SET(fw->detect_thread, NULL);    }    /* Free output. */    OutputLoggerThreadDeinit(tv, fw->output_thread);    /* free pq */    BUG_ON(fw->pq.len);    SCMutexDestroy(&fw->pq.mutex_q);    SC_ATOMIC_DESTROY(fw->detect_thread);    SCFree(fw);    return TM_ECODE_OK;}

/** * /test DetectFlowintTestPacket03Real * /brief Check the behaviour of isset/notset */int DetectFlowintTestPacket03Real(){    Packet *p = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    memset(&th_v, 0, sizeof(th_v));    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    FAIL_IF(de_ctx == NULL);    de_ctx->flags |= DE_QUIET;    char *sigs[3];    sigs[0] = "alert tcp any any -> any any (msg:/"check notset/"; content:/"GET/"; flowint: myvar, notset; flowint: myvar,=,0; flowint: other,=,10; sid:101;)";    sigs[1] = "alert tcp any any -> any any (msg:/"check isset/"; content:/"Unauthorized/"; flowint:myvar,isset; flowint: other,isset; sid:102;)";    sigs[2] = "alert tcp any any -> any any (msg:/"check notset/"; content:/"Unauthorized/"; flowint:lala,isset; sid:103;)";    FAIL_IF(UTHAppendSigs(de_ctx, sigs, 3) == 0);    SCSigRegisterSignatureOrderingFuncs(de_ctx);    SCSigOrderSignatures(de_ctx);    SCSigSignatureOrderingModuleCleanup(de_ctx);    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v,(void *) de_ctx,(void *) &det_ctx);    Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1",            41424, 80);    FAIL_IF(f == NULL);    f->proto = IPPROTO_TCP;    p = UTHBuildPacket((uint8_t *)"GET", 3, IPPROTO_TCP);    FAIL_IF(p == NULL);    p->flow = f;    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    FAIL_IF(!PacketAlertCheck(p, 101));    UTHFreePacket(p);    p = UTHBuildPacket((uint8_t *)"Unauthorized", 12, IPPROTO_TCP);    FAIL_IF(p == NULL);    p->flow = f;    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    FAIL_IF(!PacketAlertCheck(p, 102));    FAIL_IF(PacketAlertCheck(p, 103));    UTHFreePacket(p);    p = UTHBuildPacket((uint8_t *)"1", 1, IPPROTO_TCP);    FAIL_IF(p == NULL);    p->flow = f;    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    FAIL_IF(PacketAlertCheck(p, 102));    FAIL_IF(PacketAlertCheck(p, 103));    UTHFreePacket(p);    UTHFreeFlow(f);    DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx);    DetectEngineCtxFree(de_ctx);    PASS;}

int AlertFastLogTest02(){    int result = 0;    uint8_t *buf = (uint8_t *) "GET /one/ HTTP/1.1/r/n"        "Host: one.example.org/r/n";    uint16_t buflen = strlen((char *)buf);    Packet *p = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx;    memset(&th_v, 0, sizeof(th_v));    p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        return result;    }    de_ctx->flags |= DE_QUIET;    SCClassConfGenerateValidDummyClassConfigFD01();    SCClassConfLoadClassficationConfigFile(de_ctx);    SCClassConfDeleteDummyClassificationConfigFD();    de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "            "(msg:/"FastLog test/"; content:/"GET/"; "            "Classtype:unknown; sid:1;)");    result = (de_ctx->sig_list != NULL);    if (result == 0)        printf("sig parse failed: ");    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (p->alerts.cnt == 1) {        result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown Traffic") != 0);        if (result == 0)            printf("p->alerts.alerts[0].class_msg %s: ", p->alerts.alerts[0].s->class_msg);        result = (strcmp(p->alerts.alerts[0].s->class_msg,                    "Unknown are we") == 0);        if (result == 0)            printf("p->alerts.alerts[0].class_msg %s: ", p->alerts.alerts[0].s->class_msg);    } else {        result = 0;    }    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);    UTHFreePackets(&p, 1);    return result;}

/** * /test DetectIcmpIdMatchTest01 is a test for checking the working of *       icmp_id keyword by creating 2 rules and matching a crafted packet *       against them. Only the first one shall trigger. */int DetectIcmpIdMatchTest01 (void){    int result = 0;    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    memset(&th_v, 0, sizeof(ThreadVars));    p = UTHBuildPacket(NULL, 0, IPPROTO_ICMP);    p->icmpv4vars.id = htons(21781);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21781; sid:1;)");    if (s == NULL) {        goto end;    }    s = s->next = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21782; sid:2;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (PacketAlertCheck(p, 1) == 0) {        printf("sid 1 did not alert, but should have: ");        goto cleanup;    } else if (PacketAlertCheck(p, 2)) {        printf("sid 2 alerted, but should not have: ");        goto cleanup;    }    result = 1;cleanup:    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);    UTHFreePackets(&p, 1);end:    return result;}

int AlertFastLogTest01(){    int result = 0;    uint8_t *buf = (uint8_t *) "GET /one/ HTTP/1.1/r/n"                   "Host: one.example.org/r/n";    uint16_t buflen = strlen((char *)buf);    Packet *p = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx;    memset(&th_v, 0, sizeof(th_v));    p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        return result;    }    de_ctx->flags |= DE_QUIET;    SCClassConfGenerateValidDummyClassConfigFD01();    SCClassConfLoadClassficationConfigFile(de_ctx);    SCClassConfDeleteDummyClassificationConfigFD();    de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "                               "(msg:/"FastLog test/"; content:/"GET/"; "                               "Classtype:unknown; sid:1;)");    result = (de_ctx->sig_list != NULL);    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (p->alerts.cnt == 1)        result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown are we") == 0);    else        result = 0;#ifdef __SC_CUDA_SUPPORT__    B2gCudaKillDispatcherThreadRC();    if (SCCudaHlPushCudaContextFromModule("SC_RULES_CONTENT_B2G_CUDA") == -1) {        printf("Call to SCCudaHlPushCudaContextForModule() failed/n");        return 0;    }#endif    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);    UTHFreePackets(&p, 1);    return result;}

static int DetectBase64DecodeTestDecodeLargeOffset(void){    ThreadVars tv;    DetectEngineCtx *de_ctx = NULL;    DetectEngineThreadCtx *det_ctx = NULL;    Packet *p = NULL;    int retval = 0;    uint8_t payload[] = {        'S', 'G', 'V', 's', 'b', 'G', '8', 'g',        'V', '2', '9', 'y', 'b', 'G', 'Q', '=',    };    memset(&tv, 0, sizeof(tv));    if ((de_ctx = DetectEngineCtxInit()) == NULL) {        goto end;    }    /* Offset is out of range. */    de_ctx->sig_list = SigInit(de_ctx,                               "alert tcp any any -> any any (msg:/"base64 test/"; "                               "base64_decode: bytes 16, offset 32; "                               "sid:1; rev:1;)");    if (de_ctx->sig_list == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);    p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);    if (p == NULL) {        goto end;    }    SigMatchSignatures(&tv, de_ctx, det_ctx, p);    if (det_ctx->base64_decoded_len != 0) {        goto end;    }    retval = 1;end:    if (det_ctx != NULL) {        DetectEngineThreadCtxDeinit(&tv, det_ctx);    }    if (de_ctx != NULL) {        SigCleanSignatures(de_ctx);        SigGroupCleanup(de_ctx);        DetectEngineCtxFree(de_ctx);    }    if (p != NULL) {        UTHFreePacket(p);    }    return retval;}

/** * /test Test if a packet match a signature given as string and a mpm_type * Hint: Useful for unittests with only one packet and one signature * * /param sig pointer to the string signature to test * /param sid sid number of the signature * * /retval return 1 if match * /retval return 0 if not */int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type){    SCEnter();    int result = 0;    DecodeThreadVars dtv;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    memset(&dtv, 0, sizeof(DecodeThreadVars));    memset(&th_v, 0, sizeof(th_v));    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        printf("de_ctx == NULL: ");        goto end;    }    de_ctx->flags |= DE_QUIET;    de_ctx->mpm_matcher = mpm_type;    de_ctx->sig_list = SigInit(de_ctx, sig);    if (de_ctx->sig_list == NULL) {        printf("signature == NULL: ");        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (PacketAlertCheck(p, de_ctx->sig_list->id) != 1) {        printf("signature didn't alert: ");        goto end;    }    result = 1;end:    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    if (det_ctx != NULL)        DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    if (de_ctx != NULL)        DetectEngineCtxFree(de_ctx);    SCReturnInt(result);}

/** * /internal * /brief This test tests geoip success and failure. */static int GeoipMatchTest(char *rule, char *srcip, char *dstip){    uint8_t *buf = (uint8_t *) "GET / HTTP/1.0/r/n/r/n";    uint16_t buflen = strlen((char *)buf);    Packet *p1 = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx;    int result = 0;    memset(&th_v, 0, sizeof(th_v));    p1 = UTHBuildPacketSrcDst(buf, buflen, IPPROTO_TCP, srcip, dstip);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    de_ctx->sig_list = SigInit(de_ctx, rule);    if (de_ctx->sig_list == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    result = 2;    SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);    if (PacketAlertCheck(p1, 1) == 0) {        goto cleanup;    }    result = 1;cleanup:    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);end:    return result;}

/** * /test Test if a packet match a signature given as string * Hint: Useful for unittests with only one packet and one signature * * /param sig pointer to the string signature to test * /param sid sid number of the signature * * /retval return 1 if match * /retval return 0 if not */int UTHPacketMatchSig(Packet *p, char *sig){    int result = 1;    DecodeThreadVars dtv;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    memset(&dtv, 0, sizeof(DecodeThreadVars));    memset(&th_v, 0, sizeof(th_v));    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        result=0;        goto end;    }    de_ctx->flags |= DE_QUIET;    de_ctx->sig_list = SigInit(de_ctx, sig);    if (de_ctx->sig_list == NULL) {        result = 0;        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (PacketAlertCheck(p, de_ctx->sig_list->id) != 1) {        result = 0;        goto end;    }end:    if (de_ctx) {	SigGroupCleanup(de_ctx);	SigCleanSignatures(de_ctx);    }    if (det_ctx != NULL)        DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    if (de_ctx != NULL)        DetectEngineCtxFree(de_ctx);    return result;}

static int DetectTransformCompressWhitespaceTest03(void){    const char rule[] = "alert http any any -> any any (http_request_line; strip_whitespace; content:/"GET/HTTP/"; sid:1;)";    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    memset(&th_v, 0, sizeof(th_v));    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    FAIL_IF_NULL(de_ctx);    Signature *s = DetectEngineAppendSig(de_ctx, rule);    FAIL_IF_NULL(s);    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);    PASS;}

/** * /test UTHMatchPackets Match a packet or a array of packets against sigs * of a de_ctx, but note that the return value doesn't mean that we have a * match, we have to check it later with PacketAlertCheck() * * /param de_ctx pointer with the signatures loaded * /param p pointer to the array of packets * /param num_packets number of packets in the array * * /retval return 1 if all goes well * /retval return 0 if something fail */int UTHMatchPackets(DetectEngineCtx *de_ctx, Packet **p, int num_packets){    int result = 1;    if (de_ctx == NULL || p == NULL) {        SCLogError(SC_ERR_INVALID_ARGUMENT, "packet or de_ctx was null");        result = 0;        goto end;    }    DecodeThreadVars dtv;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    memset(&dtv, 0, sizeof(DecodeThreadVars));    memset(&th_v, 0, sizeof(th_v));    //de_ctx->flags |= DE_QUIET;    SCSigRegisterSignatureOrderingFuncs(de_ctx);    SCSigOrderSignatures(de_ctx);    SCSigSignatureOrderingModuleCleanup(de_ctx);    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    int i = 0;    for (; i < num_packets; i++)        SigMatchSignatures(&th_v, de_ctx, det_ctx, p[i]);    /* Here we don't check if the packet matched or not, because     * the de_ctx can have multiple signatures, and some of them may match     * and others may not. That check will be outside     */    if (det_ctx != NULL) {        DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    }end:    if (de_ctx != NULL) SigGroupCleanup(de_ctx);    return result;}

/** * /test UTHMatchPacketsWithResults Match a packet or a array of packets against sigs * of a de_ctx, checking that each signature match match X times for certain packets * * /param de_ctx pointer with the signatures loaded * /param p pointer to the array of packets * /param num_packets number of packets in the array * * /retval return 1 if all goes well * /retval return 0 if something fail */int UTHMatchPacketsWithResults(DetectEngineCtx *de_ctx, Packet **p, int num_packets, uint32_t sids[], uint32_t *results, int numsigs){    int result = 0;    if (de_ctx == NULL || p == NULL) {        SCLogError(SC_ERR_INVALID_ARGUMENT, "packet or de_ctx was null");        result = 0;        goto end;    }    DecodeThreadVars dtv;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    memset(&dtv, 0, sizeof(DecodeThreadVars));    memset(&th_v, 0, sizeof(th_v));    //de_ctx->flags |= DE_QUIET;    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    int i = 0;    for (; i < num_packets; i++) {        SigMatchSignatures(&th_v, de_ctx, det_ctx, p[i]);        if (UTHCheckPacketMatchResults(p[i], sids, &results[(i * numsigs)], numsigs) == 0)            goto cleanup;    }    /* so far, so good ;) */    result = 1;cleanup:    if (det_ctx != NULL)        DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);end:    return result;}

/** /test Check a signature with an request method and negation of the same */static int DetectHttpMethodSigTest04(void){    int result = 0;    Flow f;    uint8_t httpbuf1[] = "GET / HTTP/1.0/r/n"                         "Host: foo.bar.tld/r/n"                         "/r/n";    uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the /0 */    TcpSession ssn;    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    HtpState *http_state = NULL;    memset(&th_v, 0, sizeof(th_v));    memset(&f, 0, sizeof(f));    memset(&ssn, 0, sizeof(ssn));    p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);    FLOW_INITIALIZE(&f);    f.protoctx = (void *)&ssn;    f.flags |= FLOW_IPV4;    p->flow = &f;    p->flowflags |= FLOW_PKT_TOSERVER;    p->flowflags |= FLOW_PKT_ESTABLISHED;    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;    f.alproto = ALPROTO_HTTP;    StreamTcpInitConfig(TRUE);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,            "alert tcp any any -> any any (msg:/"Testing http_method/"; "            "content:/"GET/"; http_method; sid:1;)");    if (s == NULL) {        goto end;    }    s = s->next = SigInit(de_ctx,            "alert tcp any any -> any any (msg:/"Testing http_method/"; "            "content:!/"GET/"; http_method; sid:2;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, httpbuf1, httplen1);    if (r != 0) {        SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);        goto end;    }    http_state = f.alstate;    if (http_state == NULL) {        SCLogDebug("no http state: ");        goto end;    }    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (!(PacketAlertCheck(p, 1))) {        printf("sid 1 didn't match but should have: ");        goto end;    }    if (PacketAlertCheck(p, 2)) {        printf("sid 2 matched but shouldn't have: ");        goto end;    }    result = 1;end:    if (de_ctx != NULL) {        SigGroupCleanup(de_ctx);        SigCleanSignatures(de_ctx);    }    if (det_ctx != NULL) {        DetectEngineThreadCtxDeinit(&th_v, (void *) det_ctx);    }    if (de_ctx != NULL) {        DetectEngineCtxFree(de_ctx);    }    StreamTcpFreeConfig(TRUE);    FLOW_DESTROY(&f);    UTHFreePackets(&p, 1);    return result;//.........这里部分代码省略.........

static int XBitsTestSig01(void){    uint8_t *buf = (uint8_t *)                    "GET /one/ HTTP/1.1/r/n"                    "Host: one.example.org/r/n"                    "/r/n";    uint16_t buflen = strlen((char *)buf);    Packet *p = SCMalloc(SIZE_OF_PACKET);    if (unlikely(p == NULL))        return 0;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    DetectEngineCtx *de_ctx = NULL;    int result = 0;    memset(&th_v, 0, sizeof(th_v));    memset(p, 0, SIZE_OF_PACKET);    p->src.family = AF_INET;    p->dst.family = AF_INET;    p->payload = buf;    p->payload_len = buflen;    p->proto = IPPROTO_TCP;    XBitsTestSetup();    de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        printf("bad de_ctx: ");        goto end;    }    de_ctx->flags |= DE_QUIET;    s = DetectEngineAppendSig(de_ctx,            "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:/"GET /"; sid:1;)");    if (s == NULL) {        printf("bad sig: ");        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    result = 1;end:    if (de_ctx != NULL) {        SigGroupCleanup(de_ctx);        SigCleanSignatures(de_ctx);    }    if (det_ctx != NULL) {        DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    }    if (de_ctx != NULL) {        DetectEngineCtxFree(de_ctx);    }    XBitsTestShutdown();    SCFree(p);    return result;}

/** /test Send a get request in three chunks + more data. */static int DetectSshVersionTestDetect03(void) {    int result = 0;    Flow f;    uint8_t sshbuf1[] = "SSH-1.";    uint32_t sshlen1 = sizeof(sshbuf1) - 1;    uint8_t sshbuf2[] = "7-PuTTY_2.123" ;    uint32_t sshlen2 = sizeof(sshbuf2) - 1;    uint8_t sshbuf3[] = "/n";    uint32_t sshlen3 = sizeof(sshbuf3) - 1;    uint8_t sshbuf4[] = "whatever...";    uint32_t sshlen4 = sizeof(sshbuf4) - 1;    TcpSession ssn;    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    memset(&th_v, 0, sizeof(th_v));    memset(&f, 0, sizeof(f));    memset(&ssn, 0, sizeof(ssn));    p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);    FLOW_INITIALIZE(&f);    f.protoctx = (void *)&ssn;    p->flow = &f;    p->flowflags |= FLOW_PKT_TOSERVER;    p->flowflags |= FLOW_PKT_ESTABLISHED;    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;    f.alproto = ALPROTO_SSH;    StreamTcpInitConfig(TRUE);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:/"SSH/"; ssh.protoversion:2_compat; sid:1;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    int r = AppLayerParse(NULL, &f, ALPROTO_SSH, STREAM_TOSERVER, sshbuf1, sshlen1);    if (r != 0) {        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);        goto end;    }    r = AppLayerParse(NULL, &f, ALPROTO_SSH, STREAM_TOSERVER, sshbuf2, sshlen2);    if (r != 0) {        printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);        goto end;    }    r = AppLayerParse(NULL, &f, ALPROTO_SSH, STREAM_TOSERVER, sshbuf3, sshlen3);    if (r != 0) {        printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);        goto end;    }    r = AppLayerParse(NULL, &f, ALPROTO_SSH, STREAM_TOSERVER, sshbuf4, sshlen4);    if (r != 0) {        printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);        goto end;    }    SshState *ssh_state = f.alstate;    if (ssh_state == NULL) {        printf("no ssh state: ");        goto end;    }    /* do detect */    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (PacketAlertCheck(p, 1)) {        printf("Error, 1.7 version is not 2 compat, so the sig should not match: ");        goto end;    }    result = 1;end:    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);    StreamTcpFreeConfig(TRUE);    FLOW_DESTROY(&f);    UTHFreePackets(&p, 1);    return result;//.........这里部分代码省略.........

static int DetectThresholdTestSig1(void) {    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx;    int result = 0;    int alerts = 0;    memset(&th_v, 0, sizeof(th_v));    p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:/"Threshold limit/"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    if (s->flags & SIG_FLAG_IPONLY) {        printf("signature is ip-only: ");        goto end;    }    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts = PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    if(alerts == 5)        result = 1;    else        printf("alerts %"PRIi32", expected 5: ", alerts);    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);    UTHFreePackets(&p, 1);end:    return result;}

/** * /internal * /brief This test tests sameip success and failure. */static int DetectSameipSigTest01Real(int mpm_type){    uint8_t *buf = (uint8_t *)                    "GET / HTTP/1.0/r/n"                    "/r/n";    uint16_t buflen = strlen((char *)buf);    Packet *p1 = NULL;    Packet *p2 = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx;    int result = 0;    memset(&th_v, 0, sizeof(th_v));    /* First packet has same IPs */    p1 = UTHBuildPacketSrcDst(buf, buflen, IPPROTO_TCP, "1.2.3.4", "1.2.3.4");    /* Second packet does not have same IPs */    p2 = UTHBuildPacketSrcDst(buf, buflen, IPPROTO_TCP, "1.2.3.4", "4.3.2.1");    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->mpm_matcher = mpm_type;    de_ctx->flags |= DE_QUIET;    de_ctx->sig_list = SigInit(de_ctx,                                     "alert tcp any any -> any any "                                     "(msg:/"Testing sameip/"; sameip; sid:1;)");    if (de_ctx->sig_list == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);    if (PacketAlertCheck(p1, 1) == 0) {        printf("sid 2 did not alert, but should have: ");        goto cleanup;    }    SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);    if (PacketAlertCheck(p2, 1) != 0) {        printf("sid 2 alerted, but should not have: ");        goto cleanup;    }    result = 1;cleanup:    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);end:    return result;}

/** * /test Test packet Matches * /param raw_eth_pkt pointer to the ethernet packet * /param pktsize size of the packet * /param sig pointer to the signature to test * /param sid sid number of the signature * /retval return 1 if match * /retval return 0 if not */int DetectReplaceLongPatternMatchTest(uint8_t *raw_eth_pkt, uint16_t pktsize, char *sig,                                      uint32_t sid, uint8_t *pp, uint16_t *len){    int result = 0;    Packet *p = NULL;    p = PacketGetFromAlloc();    if (unlikely(p == NULL))        return 0;    DecodeThreadVars dtv;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    if (pp == NULL) {        SCLogDebug("replace: looks like a second run");    }    PacketCopyData(p, raw_eth_pkt, pktsize);    memset(&dtv, 0, sizeof(DecodeThreadVars));    memset(&th_v, 0, sizeof(th_v));    FlowInitConfig(FLOW_QUIET);    DecodeEthernet(&th_v, &dtv, p, GET_PKT_DATA(p), pktsize, NULL);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    de_ctx->sig_list = SigInit(de_ctx, sig);    if (de_ctx->sig_list == NULL) {        goto end;    }    de_ctx->sig_list->next = NULL;    if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->type == DETECT_CONTENT) {        DetectContentData *co = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;        if (co->flags & DETECT_CONTENT_RELATIVE_NEXT) {            printf("relative next flag set on final match which is content: ");            goto end;        }    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (PacketAlertCheck(p, sid) != 1) {        SCLogDebug("replace: no alert on sig %d", sid);        goto end;    }    if (pp) {        memcpy(pp, GET_PKT_DATA(p), GET_PKT_LEN(p));        *len = pktsize;        SCLogDebug("replace: copying %d on %p", *len, pp);    }    result = 1;end:    if (de_ctx != NULL)    {        SigGroupCleanup(de_ctx);        SigCleanSignatures(de_ctx);        if (det_ctx != NULL)            DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);        DetectEngineCtxFree(de_ctx);    }    FlowShutdown();    SCFree(p);    return result;}

//.........这里部分代码省略.........    FLOWLOCK_WRLOCK(&f);    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,                            STREAM_TOSERVER | STREAM_START, chello_buf,                            chello_buf_len);    FAIL_IF(r != 0);    FLOWLOCK_UNLOCK(&f);    ssl_state = f.alstate;    FAIL_IF(ssl_state == NULL);    /* do detect */    p->alerts.cnt = 0;    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    FAIL_IF(!PacketAlertCheck(p, 1));    FAIL_IF(PacketAlertCheck(p, 2));    FAIL_IF(PacketAlertCheck(p, 3));    FAIL_IF(PacketAlertCheck(p, 4));    FAIL_IF(PacketAlertCheck(p, 5));    FLOWLOCK_WRLOCK(&f);    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,                            shello_buf, shello_buf_len);    FAIL_IF(r != 0);    FLOWLOCK_UNLOCK(&f);    /* do detect */    p->alerts.cnt = 0;    p->flowflags = (FLOW_PKT_TOCLIENT | FLOW_PKT_ESTABLISHED);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    FAIL_IF(PacketAlertCheck(p, 1));    FAIL_IF(!PacketAlertCheck(p, 2));    FAIL_IF(PacketAlertCheck(p, 3));    FAIL_IF(PacketAlertCheck(p, 4));    FAIL_IF(!PacketAlertCheck(p, 5));    PASS;    FLOWLOCK_WRLOCK(&f);    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,                            client_change_cipher_spec_buf,                            client_change_cipher_spec_buf_len);    FAIL_IF(r != 0);    FLOWLOCK_UNLOCK(&f);    /* do detect */    p->alerts.cnt = 0;    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    FAIL_IF(PacketAlertCheck(p, 1));    FAIL_IF(PacketAlertCheck(p, 2));    FAIL_IF(!PacketAlertCheck(p, 3));    FAIL_IF(PacketAlertCheck(p, 4));    FLOWLOCK_WRLOCK(&f);    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,                            server_change_cipher_spec_buf,                            server_change_cipher_spec_buf_len);    FAIL_IF(r != 0);    FLOWLOCK_UNLOCK(&f);    /* do detect */    p->alerts.cnt = 0;    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    FAIL_IF(PacketAlertCheck(p, 1));    FAIL_IF(PacketAlertCheck(p, 2));    FAIL_IF(PacketAlertCheck(p, 3));    FAIL_IF(PacketAlertCheck(p, 4));    FLOWLOCK_WRLOCK(&f);    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,                            toserver_app_data_buf, toserver_app_data_buf_len);    FAIL_IF(r != 0);    FLOWLOCK_UNLOCK(&f);    /* do detect */    p->alerts.cnt = 0;    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    FAIL_IF(PacketAlertCheck(p, 1));    FAIL_IF(PacketAlertCheck(p, 2));    FAIL_IF(PacketAlertCheck(p, 3));    FAIL_IF(PacketAlertCheck(p, 4));    if (alp_tctx != NULL)        AppLayerParserThreadCtxFree(alp_tctx);    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);    StreamTcpFreeConfig(TRUE);    FLOW_DESTROY(&f);    UTHFreePackets(&p, 1);    PASS;}

static int DetectThresholdTestSig6Ticks(void) {    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx;    int result = 0;    int alerts = 0;    memset(&th_v, 0, sizeof(th_v));    p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:/"Threshold limit sid 1/"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");    if (s == NULL) {        goto end;    }    s = s->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:/"Threshold limit sid 1000/"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    uint64_t ticks_start = 0;    uint64_t ticks_end = 0;    ticks_start = UtilCpuGetTicks();    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts = PacketAlertCheck(p, 1);    alerts += PacketAlertCheck(p, 1000);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    alerts += PacketAlertCheck(p, 1000);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    alerts += PacketAlertCheck(p, 1000);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    alerts += PacketAlertCheck(p, 1000);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    alerts += PacketAlertCheck(p, 1000);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    alerts += PacketAlertCheck(p, 1000);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    alerts += PacketAlertCheck(p, 1000);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    alerts += PacketAlertCheck(p, 1000);    ticks_end = UtilCpuGetTicks();    printf("test run %"PRIu64"/n", (ticks_end - ticks_start));    if(alerts == 10)        result = 1;    else        goto cleanup;cleanup:    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);end:    UTHFreePackets(&p, 1);    return result;}

/** /test Check the signature working to alert when http_stat_msg is used with *        negated content . */static int DetectHttpStatMsgSigTest03(void) {    int result = 0;    Flow f;    uint8_t httpbuf1[] = "POST / HTTP/1.0/r/nUser-Agent: Mozilla/1.0/r/n/r/n";    uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the /0 */    uint8_t httpbuf2[] = "HTTP/1.0 200 OK/r/n/r/n";    uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the /0 */    TcpSession ssn;    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    HtpState *http_state = NULL;    memset(&th_v, 0, sizeof(th_v));    memset(&f, 0, sizeof(f));    memset(&ssn, 0, sizeof(ssn));    p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);    FLOW_INITIALIZE(&f);    f.protoctx = (void *)&ssn;    f.flags |= FLOW_IPV4;    p->flow = &f;    p->flowflags |= FLOW_PKT_TOCLIENT;    p->flowflags |= FLOW_PKT_ESTABLISHED;    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;    f.alproto = ALPROTO_HTTP;    StreamTcpInitConfig(TRUE);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"                                   "/"HTTP status message/"; content:/"ok/"; "                                   "nocase; http_stat_msg; sid:1;)");    if (s == NULL) {        goto end;    }    s->next = SigInit(de_ctx,"alert http any any -> any any (msg:/"HTTP "                        "Status message nocase/"; content:!/"Not/"; "                        "http_stat_msg; sid:2;)");    if (s->next == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, httpbuf1, httplen1);    if (r != 0) {        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);        result = 0;        goto end;    }    r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOCLIENT, httpbuf2, httplen2);    if (r != 0) {        printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r);        result = 0;        goto end;    }    http_state = f.alstate;    if (http_state == NULL) {        printf("no http state: ");        result = 0;        goto end;    }    /* do detect */    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (! PacketAlertCheck(p, 1)) {        printf("sid 1 didn't matched but should have: ");        goto end;    }    if (! PacketAlertCheck(p, 2)) {        printf("sid 2 didn't matched but should have: ");        goto end;    }    result = 1;end:    if (det_ctx != NULL) {        DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    }    if (de_ctx != NULL) {        SigGroupCleanup(de_ctx);        DetectEngineCtxFree(de_ctx);    }//.........这里部分代码省略.........

/** * /test Used to check the working of recursion_limit counter. */static int PayloadTestSig13(void){    uint8_t *buf = (uint8_t *)"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";    uint16_t buflen = strlen((char *)buf);    Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);    int result = 0;    uint16_t mpm_type = DEFAULT_MPM;    char sig[] = "alert tcp any any -> any any (msg:/"dummy/"; "        "content:/"aa/"; content:/"aa/"; distance:0; content:/"aa/"; distance:0; "        "byte_test:1,>,200,0,relative; sid:1;)";    struct timeval tv_start, tv_end, tv_diff;    gettimeofday(&tv_start, NULL);    do {        DecodeThreadVars dtv;        ThreadVars th_v;        DetectEngineThreadCtx *det_ctx = NULL;        memset(&dtv, 0, sizeof(DecodeThreadVars));        memset(&th_v, 0, sizeof(th_v));        DetectEngineCtx *de_ctx = DetectEngineCtxInit();        if (de_ctx == NULL) {            printf("de_ctx == NULL: ");            goto end;        }        de_ctx->inspection_recursion_limit = 3000;        de_ctx->flags |= DE_QUIET;        de_ctx->mpm_matcher = mpm_type;        de_ctx->sig_list = SigInit(de_ctx, sig);        if (de_ctx->sig_list == NULL) {            printf("signature == NULL: ");            goto end;        }        SigGroupBuild(de_ctx);        DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);        SigMatchSignatures(&th_v, de_ctx, det_ctx, p);        if (PacketAlertCheck(p, de_ctx->sig_list->id) != 1) {            goto end;        }        result = 1;    end:        SigGroupCleanup(de_ctx);        SigCleanSignatures(de_ctx);        if (det_ctx != NULL)            DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);        if (de_ctx != NULL)            DetectEngineCtxFree(de_ctx);    } while (0);    gettimeofday(&tv_end, NULL);    tv_diff.tv_sec = tv_end.tv_sec - tv_start.tv_sec;    tv_diff.tv_usec = tv_end.tv_usec - tv_start.tv_usec;    printf("%ld.%06ld/n", (long int)tv_diff.tv_sec, (long int)tv_diff.tv_usec);    result = 1;    if (p != NULL)        UTHFreePacket(p);    return result;}

static int DetectThresholdTestSig3(void) {    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx;    int result = 0;    int alerts = 0;    struct timeval ts;    DetectThresholdData *td = NULL;    DetectThresholdEntry *lookup_tsh = NULL;    DetectThresholdEntry *ste = NULL;    memset (&ts, 0, sizeof(struct timeval));    TimeGet(&ts);    memset(&th_v, 0, sizeof(th_v));    p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:/"Threshold limit/"; threshold: type limit, track by_dst, count 5, seconds 60; sid:10;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    td = SigGetThresholdType(s,p);    /* setup the Entry we use to search our hash with */    ste = SCMalloc(sizeof(DetectThresholdEntry));    if (ste == NULL)        goto end;    memset(ste, 0x00, sizeof(ste));    if (PKT_IS_IPV4(p))        ste->ipv = 4;    else if (PKT_IS_IPV6(p))        ste->ipv = 6;    ste->sid = s->id;    ste->gid = s->gid;    if (td->track == TRACK_DST) {        COPY_ADDRESS(&p->dst, &ste->addr);    } else if (td->track == TRACK_SRC) {        COPY_ADDRESS(&p->src, &ste->addr);    }    ste->track = td->track;    TimeGet(&p->ts);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    lookup_tsh = (DetectThresholdEntry *)HashListTableLookup(de_ctx->ths_ctx.threshold_hash_table_dst, ste, sizeof(DetectThresholdEntry));    if (lookup_tsh == NULL) {        printf("lookup_tsh is NULL: ");        goto cleanup;    }    TimeSetIncrementTime(200);    TimeGet(&p->ts);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (lookup_tsh)        alerts = lookup_tsh->current_count;    if (alerts == 3)        result = 1;    else {        printf("alerts %u != 3: ", alerts);        goto cleanup;    }cleanup:    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);end:    UTHFreePackets(&p, 1);    return result;}

/** * /test DetectFragOffsetMatchTest01 is a test for checking the working of *       fragoffset keyword by creating 2 rules and matching a crafted packet *       against them. Only the first one shall trigger. */int DetectFragOffsetMatchTest01 (void){    int result = 0;    Packet *p = SCMalloc(SIZE_OF_PACKET);    if (unlikely(p == NULL))        return 0;    Signature *s = NULL;    DecodeThreadVars dtv;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    IPV4Hdr ip4h;    memset(p, 0, SIZE_OF_PACKET);    memset(&ip4h, 0, sizeof(IPV4Hdr));    memset(&dtv, 0, sizeof(DecodeThreadVars));    memset(&th_v, 0, sizeof(ThreadVars));    FlowInitConfig(FLOW_QUIET);    p->src.family = AF_INET;    p->dst.family = AF_INET;    p->src.addr_data32[0] = 0x01020304;    p->dst.addr_data32[0] = 0x04030201;    ip4h.s_ip_src.s_addr = p->src.addr_data32[0];    ip4h.s_ip_dst.s_addr = p->dst.addr_data32[0];    ip4h.ip_off = 0x2222;    p->ip4h = &ip4h;    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx, "alert ip any any -> any any (fragoffset:546; sid:1;)");    if (s == NULL) {        goto end;    }    s = s->next = SigInit(de_ctx, "alert ip any any -> any any (fragoffset:5000; sid:2;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (PacketAlertCheck(p, 1) == 0) {        printf("sid 1 did not alert, but should have: ");        goto cleanup;    } else if (PacketAlertCheck(p, 2)) {        printf("sid 2 alerted, but should not have: ");        goto cleanup;    }    result = 1;cleanup:    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);    FlowShutdown();end:    SCFree(p);    return result;}

/** * /test DetectIcmpIdMatchTest02 is a test for checking the working of *       icmp_id keyword by creating 1 rule and matching a crafted packet *       against them. The packet is an ICMP packet with no "id" field, *       therefore the rule should not trigger. */int DetectIcmpIdMatchTest02 (void){    int result = 0;    uint8_t raw_icmpv4[] = {        0x0b, 0x00, 0x8a, 0xdf, 0x00, 0x00, 0x00, 0x00,        0x45, 0x00, 0x00, 0x14, 0x25, 0x0c, 0x00, 0x00,        0xff, 0x11, 0x00, 0x00, 0x85, 0x64, 0xea, 0x5b,        0x51, 0xa6, 0xbb, 0x35, 0x59, 0x8a, 0x5a, 0xe2,        0x00, 0x14, 0x00, 0x00 };    Packet *p = PacketGetFromAlloc();    if (unlikely(p == NULL))        return 0;    Signature *s = NULL;    DecodeThreadVars dtv;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    IPV4Hdr ip4h;    memset(&ip4h, 0, sizeof(IPV4Hdr));    memset(&dtv, 0, sizeof(DecodeThreadVars));    memset(&th_v, 0, sizeof(ThreadVars));    FlowInitConfig(FLOW_QUIET);    p->src.addr_data32[0] = 0x01020304;    p->dst.addr_data32[0] = 0x04030201;    ip4h.s_ip_src.s_addr = p->src.addr_data32[0];    ip4h.s_ip_dst.s_addr = p->dst.addr_data32[0];    p->ip4h = &ip4h;    DecodeICMPV4(&th_v, &dtv, p, raw_icmpv4, sizeof(raw_icmpv4), NULL);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:0; sid:1;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (PacketAlertCheck(p, 1)) {        printf("sid 1 alerted, but should not have: ");        goto cleanup;    }    result = 1;cleanup:    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);    FlowShutdown();end:    SCFree(p);    return result;}

/** /test Send a get request in three chunks + more data. */static int DetectSshVersionTestDetect01(void){    Flow f;    uint8_t sshbuf1[] = "SSH-1.";    uint32_t sshlen1 = sizeof(sshbuf1) - 1;    uint8_t sshbuf2[] = "10-PuTTY_2.123" ;    uint32_t sshlen2 = sizeof(sshbuf2) - 1;    uint8_t sshbuf3[] = "/n";    uint32_t sshlen3 = sizeof(sshbuf3) - 1;    uint8_t sshbuf4[] = "whatever...";    uint32_t sshlen4 = sizeof(sshbuf4) - 1;    TcpSession ssn;    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();    memset(&th_v, 0, sizeof(th_v));    memset(&f, 0, sizeof(f));    memset(&ssn, 0, sizeof(ssn));    p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);    FAIL_IF_NULL(p);    FLOW_INITIALIZE(&f);    f.protoctx = (void *)&ssn;    p->flow = &f;    p->flowflags |= FLOW_PKT_TOSERVER;    p->flowflags |= FLOW_PKT_ESTABLISHED;    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;    f.alproto = ALPROTO_SSH;    f.proto = IPPROTO_TCP;    StreamTcpInitConfig(TRUE);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    FAIL_IF_NULL (de_ctx);    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:/"SSH/"; ssh.protoversion:1.10; sid:1;)");    FAIL_IF_NULL(s);    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SCLogDebug("==> 1");    int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH,                                STREAM_TOSERVER, sshbuf1, sshlen1);    FAIL_IF(r != 0);    SCLogDebug("==> 2");    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH, STREAM_TOSERVER,                            sshbuf2, sshlen2);    FAIL_IF(r != 0);    SCLogDebug("==> 3");    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH, STREAM_TOSERVER,                            sshbuf3, sshlen3);    FAIL_IF(r != 0);    SCLogDebug("==> 4");    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH, STREAM_TOSERVER,                            sshbuf4, sshlen4);    FAIL_IF(r != 0);    SshState *ssh_state = f.alstate;    FAIL_IF_NULL(ssh_state);    /* do detect */    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    FAIL_IF(!(PacketAlertCheck(p, 1)));    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);    StreamTcpFreeConfig(TRUE);    FLOW_DESTROY(&f);    UTHFreePackets(&p, 1);    AppLayerParserThreadCtxFree(alp_tctx);    PASS;}

static int DetectThresholdTestSig4(void) {    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx;    int result = 0;    int alerts = 0;    struct timeval ts;    memset (&ts, 0, sizeof(struct timeval));    TimeGet(&ts);    memset(&th_v, 0, sizeof(th_v));    p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:/"Threshold both/"; threshold: type both, track by_dst, count 2, seconds 60; sid:10;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    TimeGet(&p->ts);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts = PacketAlertCheck(p, 10);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 10);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 10);    TimeSetIncrementTime(200);    TimeGet(&p->ts);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 10);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 10);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 10);    if (alerts == 2)        result = 1;    else        goto cleanup;cleanup:    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);end:    UTHFreePackets(&p, 1);    return result;}