自学教程：C++ DetectEngineThreadCtxInit函数代码示例

static int DetectL3protoTestSig3(void) {    Packet *p = SCMalloc(SIZE_OF_PACKET);    if (unlikely(p == NULL))    return 0;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx;    int result = 0;    IPV6Hdr ip6h;    memset(&th_v, 0, sizeof(th_v));    memset(p, 0, SIZE_OF_PACKET);    p->pkt = (uint8_t *)(p + 1);    p->src.family = AF_INET6;    p->dst.family = AF_INET6;    p->proto = IPPROTO_TCP;    p->ip6h = &ip6h;    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:/"l3proto ipv4 and ip_proto udp/"; l3_proto:ipv4; ip_proto:17; sid:1;)");    if (s == NULL) {        goto end;    }    s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:/"l3proto ipv6 and ip_proto udp/"; l3_proto:ipv6; ip_proto:17; sid:2;)");    if (s == NULL) {        goto end;    }    s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:/"l3proto ip4 and ip_proto tcp/"; l3_proto:ipv4; ip_proto:6; sid:3;)");    if (s == NULL) {        goto end;    }    s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:/"l3proto ipv6 and ip_proto tcp/"; l3_proto:ipv6; ip_proto:6; sid:4;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (PacketAlertCheck(p, 1)) {        printf("sid 1 alerted, but should not have: ");        goto cleanup;    } else if (PacketAlertCheck(p, 2)) {        printf("sid 2 alerted, but should not have: ");        goto cleanup;    } else if (PacketAlertCheck(p, 3)) {        printf("sid 3 alerted, but should not have: ");        goto cleanup;    } else if (PacketAlertCheck(p, 4) == 0) {        printf("sid 4 did not alert, but should have: ");        goto cleanup;    }    result = 1;cleanup:    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);end:    SCFree(p);    return result;}

//.........这里部分代码省略.........    p1->flow = &f;    p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;    p1->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;    p2->flow = &f;    p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;    p2->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;    p3->flow = &f;    p3->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;    p3->flowflags |= FLOW_PKT_TOCLIENT|FLOW_PKT_ESTABLISHED;    p4->flow = &f;    p4->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;    p4->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;    StreamTcpInitConfig(TRUE);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    FAIL_IF_NULL(de_ctx);    de_ctx->mpm_matcher = mpm_default_matcher;    de_ctx->flags |= DE_QUIET;    s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "                              "(msg:/"Test dns_query option/"; "                              "dns_query; content:/"google.com/"; nocase; sid:1;)");    FAIL_IF_NULL(s);    s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "                              "(msg:/"Test dns_query option/"; "                              "dns_query; content:/"google.net/"; nocase; sid:2;)");    FAIL_IF_NULL(s);    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);    FLOWLOCK_WRLOCK(&f);    int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,                                STREAM_TOSERVER, buf1, sizeof(buf1));    if (r != 0) {        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);        FLOWLOCK_UNLOCK(&f);        FAIL;    }    FLOWLOCK_UNLOCK(&f);    dns_state = f.alstate;    FAIL_IF_NULL(dns_state);    /* do detect */    SigMatchSignatures(&tv, de_ctx, det_ctx, p1);    if (PacketAlertCheck(p1, 1)) {        printf("(p1) sig 1 alerted, but it should not have: ");        FAIL;    }    if (PacketAlertCheck(p1, 2)) {        printf("(p1) sig 2 did alert, but it should not have: ");        FAIL;    }    FLOWLOCK_WRLOCK(&f);    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER,                            buf2, sizeof(buf2));    if (r != 0) {        printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);        FLOWLOCK_UNLOCK(&f);

/** * /test DetectIcmpIdMatchTest02 is a test for checking the working of *       icmp_id keyword by creating 1 rule and matching a crafted packet *       against them. The packet is an ICMP packet with no "id" field, *       therefore the rule should not trigger. */int DetectIcmpIdMatchTest02 (void){    int result = 0;    uint8_t raw_icmpv4[] = {        0x0b, 0x00, 0x8a, 0xdf, 0x00, 0x00, 0x00, 0x00,        0x45, 0x00, 0x00, 0x14, 0x25, 0x0c, 0x00, 0x00,        0xff, 0x11, 0x00, 0x00, 0x85, 0x64, 0xea, 0x5b,        0x51, 0xa6, 0xbb, 0x35, 0x59, 0x8a, 0x5a, 0xe2,        0x00, 0x14, 0x00, 0x00 };    Packet *p = PacketGetFromAlloc();    if (unlikely(p == NULL))        return 0;    Signature *s = NULL;    DecodeThreadVars dtv;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    IPV4Hdr ip4h;    memset(&ip4h, 0, sizeof(IPV4Hdr));    memset(&dtv, 0, sizeof(DecodeThreadVars));    memset(&th_v, 0, sizeof(ThreadVars));    FlowInitConfig(FLOW_QUIET);    p->src.addr_data32[0] = 0x01020304;    p->dst.addr_data32[0] = 0x04030201;    ip4h.s_ip_src.s_addr = p->src.addr_data32[0];    ip4h.s_ip_dst.s_addr = p->dst.addr_data32[0];    p->ip4h = &ip4h;    DecodeICMPV4(&th_v, &dtv, p, raw_icmpv4, sizeof(raw_icmpv4), NULL);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:0; sid:1;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (PacketAlertCheck(p, 1)) {        printf("sid 1 alerted, but should not have: ");        goto cleanup;    }    result = 1;cleanup:    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);    FlowShutdown();end:    SCFree(p);    return result;}

int DetectAppLayerEventTest04(void){    int result = 0;    ThreadVars tv;    TcpReassemblyThreadCtx *ra_ctx = NULL;    Packet *p = NULL;    Flow *f = NULL;    TcpSession ssn;    TcpStream stream_ts, stream_tc;    DetectEngineCtx *de_ctx = NULL;    DetectEngineThreadCtx *det_ctx = NULL;    uint8_t buf_ts[] = "GET /index.html HTTP/1.1/r/n"        "Host: 127.0.0.1/r/n"        "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3/r/n"        "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/r/n"        "Accept-Language: en-us,en;q=0.5/r/n"        "Accept-Encoding: gzip,deflate/r/n"        "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7/r/n"        "Keep-Alive: 115/r/n"        "Connection: keep-alive/r/n"        "/r/n";    uint8_t buf_tc[] = "XTTP/1.1 200 OK/r/n"        "Date: Fri, 22 Oct 2010 12:31:08 GMT/r/n"        "Server: Apache/2.2.15 (Unix) DAV/2/r/n"        "Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT/r/n"        "ETag: /"ab8486-2c-3e9564c23b600/"/r/n"        "Accept-Ranges: bytes/r/n"        "Content-Length: 44/r/n"        "Keep-Alive: timeout=5, max=100/r/n"        "Connection: Keep-Alive/r/n"        "Content-Type: text/html/r/n"        "/r/n"        "<html><body><h1>It works!</h1></body></html>";    memset(&tv, 0, sizeof (ThreadVars));    memset(&ssn, 0, sizeof(TcpSession));    memset(&stream_ts, 0, sizeof(TcpStream));    memset(&stream_tc, 0, sizeof(TcpStream));    ssn.data_first_seen_dir = STREAM_TOSERVER;    de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL)        goto end;    de_ctx->flags |= DE_QUIET;    de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "                               "(app-layer-event: applayer_detect_protocol_only_one_direction; "                               "sid:1;)");    if (de_ctx->sig_list == NULL)        goto end;    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);    f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);    if (f == NULL)        goto end;    FLOW_INITIALIZE(f);    f->protoctx = &ssn;    f->proto = IPPROTO_TCP;    f->flags |= FLOW_IPV4;    p = PacketGetFromAlloc();    if (unlikely(p == NULL))        goto end;    p->flow = f;    p->src.family = AF_INET;    p->dst.family = AF_INET;    p->proto = IPPROTO_TCP;    ra_ctx = StreamTcpReassembleInitThreadCtx(&tv);    if (ra_ctx == NULL)        goto end;    StreamTcpInitConfig(TRUE);    p->flowflags = FLOW_PKT_TOSERVER;    if (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream_ts, buf_ts,                              sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0) {        printf("AppLayerHandleTCPData failure/n");        goto end;    }    SigMatchSignatures(&tv, de_ctx, det_ctx, p);    if (PacketAlertCheck(p, 1)) {        printf("sid 1 matched but shouldn't have/n");        goto end;    }    p->flowflags = FLOW_PKT_TOCLIENT;    if (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream_tc, buf_tc,                              sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0) {        printf("AppLayerHandleTCPData failure/n");        goto end;    }    SigMatchSignatures(&tv, de_ctx, det_ctx, p);    if (!PacketAlertCheck(p, 1)) {        printf("sid 1 didn't match but should have/n");        goto end;    }    result = 1;//.........这里部分代码省略.........

static int DetectProtoTestSig01(void) {    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx;    int result = 0;    Flow f;    memset(&f, 0, sizeof(Flow));    memset(&th_v, 0, sizeof(th_v));    FLOW_INITIALIZE(&f);    p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);    p->flow = &f;    p->flowflags |= FLOW_PKT_TOSERVER;    p->flags |= PKT_HAS_FLOW;    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert udp any any -> any any "            "(msg:/"Not tcp/"; flow:to_server; sid:1;)");    if (s == NULL)        goto end;    s = s->next = SigInit(de_ctx,"alert ip any any -> any any "            "(msg:/"IP/"; flow:to_server; sid:2;)");    if (s == NULL)        goto end;    s = s->next = SigInit(de_ctx,"alert tcp any any -> any any "            "(msg:/"TCP/"; flow:to_server; sid:3;)");    if (s == NULL)        goto end;    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (PacketAlertCheck(p, 1)) {        printf("sid 1 alerted, but should not have: ");        goto cleanup;    } else if (PacketAlertCheck(p, 2) == 0) {        printf("sid 2 did not alert, but should have: ");        goto cleanup;    } else if (PacketAlertCheck(p, 3) == 0) {        printf("sid 3 did not alert, but should have: ");        goto cleanup;    }    result = 1;cleanup:    FLOW_DESTROY(&f);    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);    UTHFreePackets(&p, 1);end:    return result;}

/** * /test Check the ftpbounce match * /brief This test tests the ftpbounce condition match, based on *  the ftp layer parser */static int DetectFtpbounceTestALMatch03(void){    int result = 0;    uint8_t ftpbuf1[] = { 'P','O' };    uint32_t ftplen1 = sizeof(ftpbuf1);    uint8_t ftpbuf2[] = { 'R', 'T' };    uint32_t ftplen2 = sizeof(ftpbuf2);    uint8_t ftpbuf3[] = { ' ', '1',',','2',',' };    uint32_t ftplen3 = sizeof(ftpbuf3);    uint8_t ftpbuf4[] = "3,4,10,20/r/n";    uint32_t ftplen4 = sizeof(ftpbuf4);    TcpSession ssn;    Flow f;    Packet *p = SCMalloc(SIZE_OF_PACKET);    if (unlikely(p == NULL))        return 0;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();    memset(&th_v, 0, sizeof(th_v));    memset(p, 0, SIZE_OF_PACKET);    memset(&f, 0, sizeof(f));    memset(&ssn, 0, sizeof(ssn));    p->src.family = AF_INET;    p->dst.family = AF_INET;    p->src.addr_data32[0] = 0x04030201;    p->payload = NULL;    p->payload_len = 0;    p->proto = IPPROTO_TCP;    FLOW_INITIALIZE(&f);    f.src.address.address_un_data32[0]=0x04030201;    f.protoctx =(void *)&ssn;    f.proto = IPPROTO_TCP;    p->flow = &f;    p->flowflags |= FLOW_PKT_TOSERVER;    p->flowflags |= FLOW_PKT_ESTABLISHED;    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;    f.alproto = ALPROTO_FTP;    StreamTcpInitConfig(TRUE);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "                                   "(msg:/"Ftp Bounce/"; ftpbounce; sid:1;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v,(void *)de_ctx,(void *)&det_ctx);    FLOWLOCK_WRLOCK(&f);    int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,                                STREAM_TOSERVER, ftpbuf1, ftplen1);    if (r != 0) {        SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);        result = 0;        FLOWLOCK_UNLOCK(&f);        goto end;    }    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,                            ftpbuf2, ftplen2);    if (r != 0) {        SCLogDebug("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);        result = 0;        FLOWLOCK_UNLOCK(&f);        goto end;    }    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,                            ftpbuf3, ftplen3);    if (r != 0) {        SCLogDebug("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);        result = 0;        FLOWLOCK_UNLOCK(&f);        goto end;    }    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,                            ftpbuf4, ftplen4);    if (r != 0) {//.........这里部分代码省略.........

/** /test Check the signature working to alert when http_cookie is not present */static int DetectHttpCookieSigTest07(void){    int result = 0;    Flow f;    uint8_t httpbuf1[] = "POST / HTTP/1.0/r/nUser-Agent: Mozilla/1.0/r/n"        "Cookie: dummy/r/n/r/n";    uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the /0 */    TcpSession ssn;    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    HtpState *http_state = NULL;    AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();    memset(&th_v, 0, sizeof(th_v));    memset(&f, 0, sizeof(f));    memset(&ssn, 0, sizeof(ssn));    p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);    FLOW_INITIALIZE(&f);    f.protoctx = (void *)&ssn;    f.proto = IPPROTO_TCP;    f.flags |= FLOW_IPV4;    p->flow = &f;    p->flowflags |= FLOW_PKT_TOSERVER;    p->flowflags |= FLOW_PKT_ESTABLISHED;    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;    f.alproto = ALPROTO_HTTP;    StreamTcpInitConfig(TRUE);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"                                   "/"HTTP cookie/"; content:!/"dummy/"; "                                   "http_cookie; sid:1;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    FLOWLOCK_WRLOCK(&f);    int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,                                STREAM_TOSERVER, httpbuf1, httplen1);    if (r != 0) {        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);        result = 0;        FLOWLOCK_UNLOCK(&f);        goto end;    }    FLOWLOCK_UNLOCK(&f);    http_state = f.alstate;    if (http_state == NULL) {        printf("no http state: ");        result = 0;        goto end;    }    /* do detect */    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (PacketAlertCheck(p, 1)) {        goto end;    }    result = 1;end:    if (alp_tctx != NULL)        AppLayerParserThreadCtxFree(alp_tctx);    if (det_ctx != NULL) {        DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    }    if (de_ctx != NULL) {        SigGroupCleanup(de_ctx);        DetectEngineCtxFree(de_ctx);    }    StreamTcpFreeConfig(TRUE);    UTHFreePackets(&p, 1);    return result;}

/** */test Test that the http_response_line content matches against a http request *      which holds the content. */static int DetectHttpResponseLineTest02(void){    TcpSession ssn;    Packet *p = NULL;    ThreadVars th_v;    DetectEngineCtx *de_ctx = NULL;    DetectEngineThreadCtx *det_ctx = NULL;    HtpState *http_state = NULL;    Flow f;    uint8_t http_buf[] =        "GET /index.html HTTP/1.0/r/n"        "Host: www.openinfosecfoundation.org/r/n"        "User-Agent: This is dummy message body/r/n"        "Content-Type: text/html/r/n"        "/r/n";    uint32_t http_len = sizeof(http_buf) - 1;    uint8_t http_buf2[] =        "HTTP/1.0 200 OK/r/n"        "Content-Type: text/html/r/n"        "Content-Length: 7/r/n"        "/r/n"        "message";    uint32_t http_len2 = sizeof(http_buf2) - 1;    AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();    FAIL_IF_NULL(alp_tctx);    memset(&th_v, 0, sizeof(th_v));    memset(&f, 0, sizeof(f));    memset(&ssn, 0, sizeof(ssn));    p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);    FAIL_IF_NULL(p);    FLOW_INITIALIZE(&f);    f.protoctx = (void *)&ssn;    f.proto = IPPROTO_TCP;    f.flags |= FLOW_IPV4;    p->flow = &f;    p->flowflags |= (FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED);    p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;    f.alproto = ALPROTO_HTTP;    StreamTcpInitConfig(TRUE);    de_ctx = DetectEngineCtxInit();    FAIL_IF_NULL(de_ctx);    de_ctx->flags |= DE_QUIET;    de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "                               "(http_response_line; content:/"HTTP/1.0 200 OK/"; "                               "sid:1;)");    FAIL_IF_NULL(de_ctx->sig_list);    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    int r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);    FAIL_IF(r != 0);    http_state = f.alstate;    FAIL_IF_NULL(http_state);    r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2);    FAIL_IF(r != 0);    /* do detect */    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    FAIL_IF(PacketAlertCheck(p, 1));    p->flowflags = (FLOW_PKT_TOCLIENT|FLOW_PKT_ESTABLISHED);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    FAIL_IF(!(PacketAlertCheck(p, 1)));    AppLayerParserThreadCtxFree(alp_tctx);    DetectEngineCtxFree(de_ctx);    StreamTcpFreeConfig(TRUE);    FLOW_DESTROY(&f);    UTHFreePackets(&p, 1);    PASS;}

static int DetectEngineSMTPFiledataTest03(void){    uint8_t mimemsg1[] = {0x65, 0x76,};    uint8_t mimemsg2[] = {0x69, 0x6C,};    uint32_t mimemsg1_len = sizeof(mimemsg1) - 1;    uint32_t mimemsg2_len = sizeof(mimemsg2) - 1;    TcpSession ssn;    Packet *p;    ThreadVars th_v;    DetectEngineCtx *de_ctx = NULL;    DetectEngineThreadCtx *det_ctx = NULL;    SMTPState *smtp_state = NULL;    Flow f;    int result = 1;    AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();    memset(&th_v, 0, sizeof(th_v));    memset(&f, 0, sizeof(f));    memset(&ssn, 0, sizeof(ssn));    p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);    FLOW_INITIALIZE(&f);    f.protoctx = (void *)&ssn;    f.proto = IPPROTO_TCP;    f.flags |= FLOW_IPV4;    f.alstate = SMTPStateAlloc();    MimeDecParseState *state = MimeDecInitParser(&f, NULL);    ((MimeDecEntity *)state->stack->top->data)->ctnt_flags = CTNT_IS_ATTACHMENT;    state->body_begin = 1;    if (SMTPProcessDataChunk((uint8_t *)mimemsg1, sizeof(mimemsg1), state) != 0)        goto end;    if (SMTPProcessDataChunk((uint8_t *)mimemsg2, sizeof(mimemsg2), state) != 0)        goto end;    p->flow = &f;    p->flowflags |= FLOW_PKT_TOSERVER;    p->flowflags |= FLOW_PKT_ESTABLISHED;    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;    f.alproto = ALPROTO_SMTP;    StreamTcpInitConfig(TRUE);    de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL)        goto end;    de_ctx->flags |= DE_QUIET;    de_ctx->sig_list = SigInit(de_ctx, "alert smtp any any -> any any "                               "(msg:/"file_data smtp test/"; "                               "file_data; content:/"evil/"; sid:1;)");    if (de_ctx->sig_list == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    FLOWLOCK_WRLOCK(&f);    int r = 0;    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SMTP,                            STREAM_TOSERVER, mimemsg1, mimemsg1_len);    if (r != 0) {        printf("AppLayerParse for smtp failed. Returned %d", r);        FLOWLOCK_UNLOCK(&f);        goto end;    }    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SMTP,                            STREAM_TOSERVER, mimemsg2, mimemsg2_len);    if (r != 0) {        printf("AppLayerParse for smtp failed. Returned %d", r);        FLOWLOCK_UNLOCK(&f);        goto end;    }    FLOWLOCK_UNLOCK(&f);    smtp_state = f.alstate;    if (smtp_state == NULL) {        printf("no smtp state: ");        goto end;    }    /* do detect */    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (PacketAlertCheck(p, 1)) {        printf("sid 1 matched but shouldn't have/n");        goto end;    }    result = 0;end:    if (alp_tctx != NULL)        AppLayerParserThreadCtxFree(alp_tctx);//.........这里部分代码省略.........

/** * /test DetectDetectionFilterTestSig1 is a test for checking the working of detection_filter keyword *       by setting up the signature and later testing its working by matching *       the received packet against the sig. * *  /retval 1 on succces *  /retval 0 on failure */static int DetectDetectionFilterTestSig1(void){    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx;    int result = 0;    int alerts = 0;    HostInitConfig(HOST_QUIET);    memset(&th_v, 0, sizeof(th_v));    p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:/"detection_filter Test/"; detection_filter: track by_dst, count 4, seconds 60; sid:1;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts = PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 1);    if(alerts == 4)        result = 1;    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);end:    UTHFreePackets(&p, 1);    HostShutdown();    return result;}

/** *  /test drops */static int DetectDetectionFilterTestSig3(void){    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx;    int result = 0;    int alerts = 0;    int drops = 0;    struct timeval ts;    HostInitConfig(HOST_QUIET);    memset (&ts, 0, sizeof(struct timeval));    TimeGet(&ts);    memset(&th_v, 0, sizeof(th_v));    p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (msg:/"detection_filter Test 2/"; detection_filter: track by_dst, count 2, seconds 60; sid:10;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    TimeGet(&p->ts);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts = PacketAlertCheck(p, 10);    drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);    p->action = 0;    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 10);    drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);    p->action = 0;    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 10);    drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);    p->action = 0;    TimeSetIncrementTime(200);    TimeGet(&p->ts);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 10);    drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);    p->action = 0;    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 10);    drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);    p->action = 0;    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 10);    drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);    p->action = 0;    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    alerts += PacketAlertCheck(p, 10);    drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);    p->action = 0;    if (alerts == 3 && drops == 3)        result = 1;    else {        if (alerts != 3)            printf("alerts: %d != 3: ", alerts);        if (drops != 3)            printf("drops: %d != 3: ", drops);    }    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);end:    UTHFreePackets(&p, 1);    HostShutdown();    return result;}

static int DetectSslVersionTestDetect03(void){    DetectEngineCtx *de_ctx = NULL;    int result = 0;    Flow f;    uint8_t sslbuf1[] = { 0x16 };    uint32_t ssllen1 = sizeof(sslbuf1);    uint8_t sslbuf2[] = { 0x03 };    uint32_t ssllen2 = sizeof(sslbuf2);    uint8_t sslbuf3[] = { 0x01 };    uint32_t ssllen3 = sizeof(sslbuf3);    uint8_t sslbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x02 };    uint32_t ssllen4 = sizeof(sslbuf4);    TcpSession ssn;    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();    memset(&th_v, 0, sizeof(th_v));    memset(&f, 0, sizeof(f));    memset(&ssn, 0, sizeof(ssn));    p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);    p->tcph->th_seq = htonl(1000);    FLOW_INITIALIZE(&f);    f.protoctx = (void *)&ssn;    p->flow = &f;    p->flowflags |= FLOW_PKT_TOSERVER;    p->flowflags |= FLOW_PKT_ESTABLISHED;    p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;    f.alproto = ALPROTO_TLS;    f.proto = p->proto;    StreamTcpInitConfig(TRUE);    StreamMsg *stream_msg = StreamMsgGetFromPool();    if (stream_msg == NULL) {        printf("no stream_msg: ");        goto end;    }    memcpy(stream_msg->data, sslbuf4, ssllen4);    stream_msg->data_len = ssllen4;    ssn.toserver_smsg_head = stream_msg;    ssn.toserver_smsg_tail = stream_msg;    de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:/"TLS/"; ssl_version:tls1.0; content:/"|01 00 00 AD|/"; sid:1;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SCMutexLock(&f.m);    int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, sslbuf1, ssllen1);    if (r != 0) {        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);        SCMutexUnlock(&f.m);        goto end;    }    r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, sslbuf2, ssllen2);    if (r != 0) {        printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);        SCMutexUnlock(&f.m);        goto end;    }    r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, sslbuf3, ssllen3);    if (r != 0) {        printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);        SCMutexUnlock(&f.m);        goto end;    }    r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, sslbuf4, ssllen4);    if (r != 0) {        printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);        SCMutexUnlock(&f.m);        goto end;    }    SCMutexUnlock(&f.m);    SSLState *app_state = f.alstate;    if (app_state == NULL) {        printf("no ssl state: ");        goto end;    }//.........这里部分代码省略.........

/** * /test DetectICodeMatchTest01 is a test for checking the working of icode *       keyword by creating 5 rules and matching a crafted packet against *       them. 4 out of 5 rules shall trigger. */int DetectICodeMatchTest01(void) {    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx;    int result = 0;    memset(&th_v, 0, sizeof(th_v));    p = UTHBuildPacket(NULL, 0, IPPROTO_ICMP);    p->icmpv4h->code = 10;    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert icmp any any -> any any (icode:10; sid:1;)");    if (s == NULL) {        goto end;    }    s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (icode:<15; sid:2;)");    if (s == NULL) {        goto end;    }    s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (icode:>20; sid:3;)");    if (s == NULL) {        goto end;    }    s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (icode:8<>20; sid:4;)");    if (s == NULL) {        goto end;    }    s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (icode:20<>8; sid:5;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (PacketAlertCheck(p, 1) == 0) {        SCLogDebug("sid 1 did not alert, but should have");        goto cleanup;    } else if (PacketAlertCheck(p, 2) == 0) {        SCLogDebug("sid 2 did not alert, but should have");        goto cleanup;    } else if (PacketAlertCheck(p, 3)) {        SCLogDebug("sid 3 alerted, but should not have");        goto cleanup;    } else if (PacketAlertCheck(p, 4) == 0) {        SCLogDebug("sid 4 did not alert, but should have");        goto cleanup;    } else if (PacketAlertCheck(p, 5) == 0) {        SCLogDebug("sid 5 did not alert, but should have");        goto cleanup;    }    result = 1;cleanup:    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);    UTHFreePackets(&p, 1);end:    return result;}

/** /test Check the signature working to alert when http_stat_msg is used with *        negated content . */static int DetectHttpStatMsgSigTest03(void) {    int result = 0;    Flow f;    uint8_t httpbuf1[] = "POST / HTTP/1.0/r/nUser-Agent: Mozilla/1.0/r/n/r/n";    uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the /0 */    uint8_t httpbuf2[] = "HTTP/1.0 200 OK/r/n/r/n";    uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the /0 */    TcpSession ssn;    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    HtpState *http_state = NULL;    memset(&th_v, 0, sizeof(th_v));    memset(&f, 0, sizeof(f));    memset(&ssn, 0, sizeof(ssn));    p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);    FLOW_INITIALIZE(&f);    f.protoctx = (void *)&ssn;    f.flags |= FLOW_IPV4;    p->flow = &f;    p->flowflags |= FLOW_PKT_TOCLIENT;    p->flowflags |= FLOW_PKT_ESTABLISHED;    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;    f.alproto = ALPROTO_HTTP;    StreamTcpInitConfig(TRUE);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"                                   "/"HTTP status message/"; content:/"ok/"; "                                   "nocase; http_stat_msg; sid:1;)");    if (s == NULL) {        goto end;    }    s->next = SigInit(de_ctx,"alert http any any -> any any (msg:/"HTTP "                        "Status message nocase/"; content:!/"Not/"; "                        "http_stat_msg; sid:2;)");    if (s->next == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, httpbuf1, httplen1);    if (r != 0) {        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);        result = 0;        goto end;    }    r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOCLIENT, httpbuf2, httplen2);    if (r != 0) {        printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r);        result = 0;        goto end;    }    http_state = f.alstate;    if (http_state == NULL) {        printf("no http state: ");        result = 0;        goto end;    }    /* do detect */    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (! PacketAlertCheck(p, 1)) {        printf("sid 1 didn't matched but should have: ");        goto end;    }    if (! PacketAlertCheck(p, 2)) {        printf("sid 2 didn't matched but should have: ");        goto end;    }    result = 1;end:    if (det_ctx != NULL) {        DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    }    if (de_ctx != NULL) {        SigGroupCleanup(de_ctx);        DetectEngineCtxFree(de_ctx);    }//.........这里部分代码省略.........

static int DetectTtlTestSig1(void){    Packet *p = PacketGetFromAlloc();    if (unlikely(p == NULL))        return 0;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx;    int result = 0;    IPV4Hdr ip4h;    memset(&th_v, 0, sizeof(th_v));    memset(&ip4h, 0, sizeof(ip4h));    p->src.family = AF_INET;    p->dst.family = AF_INET;    p->proto = IPPROTO_TCP;    ip4h.ip_ttl = 15;    p->ip4h = &ip4h;    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:/"with in ttl limit/"; ttl: >16; sid:1;)");    if (s == NULL) {        goto end;    }    s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:/"Less than 17/"; ttl: <17; sid:2;)");    if (s == NULL) {        goto end;    }    s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:/"Greater than 5/"; ttl:15; sid:3;)");    if (s == NULL) {        goto end;    }    s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:/"Equals tcp/"; ttl: 1-30; sid:4;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (PacketAlertCheck(p, 1)) {        printf("sid 1 alerted, but should not have: ");        goto cleanup;    } else if (PacketAlertCheck(p, 2) == 0) {        printf("sid 2 did not alert, but should have: ");        goto cleanup;    } else if (PacketAlertCheck(p, 3) == 0) {        printf("sid 3 did not alert, but should have: ");        goto cleanup;    } else if (PacketAlertCheck(p, 4) == 0) {        printf("sid 4 did not alert, but should have: ");        goto cleanup;    }    result = 1;cleanup:    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);end:    SCFree(p);    return result;}

static int FlowBitsTestSig02(void){    uint8_t *buf = (uint8_t *)                    "GET /one/ HTTP/1.1/r/n"                    "Host: one.example.org/r/n"                    "/r/n";    uint16_t buflen = strlen((char *)buf);    Packet *p = SCMalloc(SIZE_OF_PACKET);    if (unlikely(p == NULL))        return 0;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    DetectEngineCtx *de_ctx = NULL;    int result = 0;    int error_count = 0;    memset(&th_v, 0, sizeof(th_v));    memset(p, 0, SIZE_OF_PACKET);    p->src.family = AF_INET;    p->dst.family = AF_INET;    p->payload = buf;    p->payload_len = buflen;    p->proto = IPPROTO_TCP;    de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:/"isset rule need an option/"; flowbits:isset; content:/"GET /"; sid:1;)");    if (s == NULL) {        error_count++;    }    s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:/"isnotset rule need an option/"; flowbits:isnotset; content:/"GET /"; sid:2;)");    if (s == NULL) {        error_count++;    }    s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:/"set rule need an option/"; flowbits:set; content:/"GET /"; sid:3;)");    if (s == NULL) {        error_count++;    }    s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:/"unset rule need an option/"; flowbits:unset; content:/"GET /"; sid:4;)");    if (s == NULL) {        error_count++;    }    s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:/"toggle rule need an option/"; flowbits:toggle; content:/"GET /"; sid:5;)");    if (s == NULL) {        error_count++;    }    if(error_count == 5)        goto end;    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (PacketAlertCheck(p, 1)) {        goto cleanup;    }    if (PacketAlertCheck(p, 2)) {        goto cleanup;    }    if (PacketAlertCheck(p, 3)) {        goto cleanup;    }    if (PacketAlertCheck(p, 4)) {        goto cleanup;    }    if (PacketAlertCheck(p, 5)) {        goto cleanup;    }    result = 1;cleanup:    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);end:    if (de_ctx != NULL) {        SigGroupCleanup(de_ctx);//.........这里部分代码省略.........

/** * /test Check the ftpbounce match, send a get request in three chunks * + more data. * /brief This test tests the ftpbounce condition match, based on the *   ftp layer parser */static int DetectFtpbounceTestALMatch02(void){    int result = 0;    uint8_t ftpbuf1[] = { 'P','O' };    uint32_t ftplen1 = sizeof(ftpbuf1);    uint8_t ftpbuf2[] = { 'R', 'T' };    uint32_t ftplen2 = sizeof(ftpbuf2);    uint8_t ftpbuf3[] = { ' ', '8','0',',','5' };    uint32_t ftplen3 = sizeof(ftpbuf3);    uint8_t ftpbuf4[] = "8,0,33,10,20/r/n";    uint32_t ftplen4 = sizeof(ftpbuf4);    TcpSession ssn;    Flow f;    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();    memset(&th_v, 0, sizeof(th_v));    memset(&f, 0, sizeof(f));    memset(&ssn, 0, sizeof(ssn));    p = UTHBuildPacketSrcDst(NULL, 0, IPPROTO_TCP, "1.2.3.4", "5.6.7.8");    FLOW_INITIALIZE(&f);    f.src.address.address_un_data32[0]=0x01020304;    f.protoctx =(void *)&ssn;    f.proto = IPPROTO_TCP;    p->flow = &f;    p->flowflags |= FLOW_PKT_TOSERVER;    p->flowflags |= FLOW_PKT_ESTABLISHED;    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;    f.alproto = ALPROTO_FTP;    StreamTcpInitConfig(TRUE);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "                                   "(msg:/"Ftp Bounce/"; ftpbounce; sid:1;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v,(void *)de_ctx,(void *)&det_ctx);    FLOWLOCK_WRLOCK(&f);    int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,                                STREAM_TOSERVER, ftpbuf1, ftplen1);    if (r != 0) {        SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);        result = 0;        FLOWLOCK_UNLOCK(&f);        goto end;    }    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,                            ftpbuf2, ftplen2);    if (r != 0) {        SCLogDebug("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);        result = 0;        FLOWLOCK_UNLOCK(&f);        goto end;    }    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,                            ftpbuf3, ftplen3);    if (r != 0) {        SCLogDebug("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);        result = 0;        FLOWLOCK_UNLOCK(&f);        goto end;    }    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,                            ftpbuf4, ftplen4);    if (r != 0) {        SCLogDebug("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);        result = 0;        FLOWLOCK_UNLOCK(&f);        goto end;    }    FLOWLOCK_UNLOCK(&f);//.........这里部分代码省略.........

static int FlowBitsTestSig05(void){    uint8_t *buf = (uint8_t *)                    "GET /one/ HTTP/1.1/r/n"                    "Host: one.example.org/r/n"                    "/r/n";    uint16_t buflen = strlen((char *)buf);    Packet *p = SCMalloc(SIZE_OF_PACKET);    if (unlikely(p == NULL))        return 0;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    DetectEngineCtx *de_ctx = NULL;    int result = 0;    memset(&th_v, 0, sizeof(th_v));    memset(p, 0, SIZE_OF_PACKET);    p->src.family = AF_INET;    p->dst.family = AF_INET;    p->payload = buf;    p->payload_len = buflen;    p->proto = IPPROTO_TCP;    de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:/"Noalert/"; flowbits:noalert; content:/"GET /"; sid:1;)");    if (s == NULL || ((s->flags & SIG_FLAG_NOALERT) != SIG_FLAG_NOALERT)) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    result = 1;    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);    SCFree(p);    PASS_IF(result);end:    if (de_ctx != NULL) {        SigGroupCleanup(de_ctx);        SigCleanSignatures(de_ctx);    }    if (det_ctx != NULL) {        DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    }    if (de_ctx != NULL) {        DetectEngineCtxFree(de_ctx);    }    SCFree(p);    PASS_IF(result);}

/** */test Test that the negated http_header content matches against a *      http request which doesn't hold the content. */static int DetectHttpRawHeaderTest11(void){    TcpSession ssn;    Packet *p = NULL;    ThreadVars th_v;    DetectEngineCtx *de_ctx = NULL;    DetectEngineThreadCtx *det_ctx = NULL;    HtpState *http_state = NULL;    Flow f;    uint8_t http_buf[] =        "GET /index.html HTTP/1.0/r/n"        "Host: www.openinfosecfoundation.org/r/n"        "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7/r/n"        "Content-Type: text/html/r/n"        "Content-Length: 26/r/n"        "/r/n"        "This is dummy message body/r/n";    uint32_t http_len = sizeof(http_buf) - 1;    int result = 0;    AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();    memset(&th_v, 0, sizeof(th_v));    memset(&f, 0, sizeof(f));    memset(&ssn, 0, sizeof(ssn));    p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);    FLOW_INITIALIZE(&f);    f.protoctx = (void *)&ssn;    f.proto = IPPROTO_TCP;    f.flags |= FLOW_IPV4;    p->flow = &f;    p->flowflags |= FLOW_PKT_TOSERVER;    p->flowflags |= FLOW_PKT_ESTABLISHED;    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;    f.alproto = ALPROTO_HTTP;    StreamTcpInitConfig(TRUE);    de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL)        goto end;    de_ctx->flags |= DE_QUIET;    de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "                               "(msg:/"http header test/"; flow:to_server; "                               "content:!/"lalalalala/"; http_raw_header; "                               "sid:1;)");    if (de_ctx->sig_list == NULL)        goto end;    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SCMutexLock(&f.m);    int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);    if (r != 0) {        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);        result = 0;        SCMutexUnlock(&f.m);        goto end;    }    SCMutexUnlock(&f.m);    http_state = f.alstate;    if (http_state == NULL) {        printf("no http state: ");        result = 0;        goto end;    }    /* do detect */    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (!(PacketAlertCheck(p, 1))) {        printf("sid 1 didn't match but should have: ");        goto end;    }    result = 1;end:    if (alp_tctx != NULL)        AppLayerParserThreadCtxFree(alp_tctx);    if (de_ctx != NULL)        SigGroupCleanup(de_ctx);    if (de_ctx != NULL)        SigCleanSignatures(de_ctx);    if (de_ctx != NULL)        DetectEngineCtxFree(de_ctx);    StreamTcpFreeConfig(TRUE);    FLOW_DESTROY(&f);    UTHFreePackets(&p, 1);    return result;}

static int FlowBitsTestSig08(void){    uint8_t *buf = (uint8_t *)                    "GET /one/ HTTP/1.1/r/n"                    "Host: one.example.org/r/n"                    "/r/n";    uint16_t buflen = strlen((char *)buf);    Packet *p = SCMalloc(SIZE_OF_PACKET);    if (unlikely(p == NULL))        return 0;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    DetectEngineCtx *de_ctx = NULL;    Flow f;    GenericVar flowvar, *gv = NULL;    int result = 0;    int idx = 0;    memset(p, 0, SIZE_OF_PACKET);    memset(&th_v, 0, sizeof(th_v));    memset(&f, 0, sizeof(Flow));    memset(&flowvar, 0, sizeof(GenericVar));    FLOW_INITIALIZE(&f);    p->flow = &f;    p->flow->flowvar = &flowvar;    p->src.family = AF_INET;    p->dst.family = AF_INET;    p->payload = buf;    p->payload_len = buflen;    p->proto = IPPROTO_TCP;    de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:/"Flowbit set/"; flowbits:set,myflow2; sid:10;)");    if (s == NULL) {        goto end;    }    s = s->next  = SigInit(de_ctx,"alert ip any any -> any any (msg:/"Flowbit unset/"; flowbits:toggle,myflow2; sid:11;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_FLOW_BIT);    gv = p->flow->flowvar;    for ( ; gv != NULL; gv = gv->next) {        if (gv->type == DETECT_FLOWBITS && gv->idx == idx) {                result = 1;        }    }    SigGroupCleanup(de_ctx);    SigCleanSignatures(de_ctx);    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    DetectEngineCtxFree(de_ctx);    if(gv) GenericVarFree(gv);    FLOW_DESTROY(&f);    SCFree(p);    PASS_IF(result == 0);end:    if (de_ctx != NULL) {        SigGroupCleanup(de_ctx);        SigCleanSignatures(de_ctx);    }    if (det_ctx != NULL) {        DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);    }    if (de_ctx != NULL) {        DetectEngineCtxFree(de_ctx);    }    if(gv) GenericVarFree(gv);    FLOW_DESTROY(&f);    SCFree(p);    PASS_IF(result == 0);//.........这里部分代码省略.........

/** * /test Check the signature working to alert against set-cookie */static int DetectHttpCookieSigTest08(void){    int result = 0;    Flow f;    uint8_t httpbuf_request[] =        "GET / HTTP/1.1/r/n"        "User-Agent: Mozilla/1.0/r/n"        "/r/n";    uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the /0 */    uint8_t httpbuf_response[] =        "HTTP/1.1 200 OK/r/n"        "Set-Cookie: response_user_agent/r/n"        "/r/n";    uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the /0 */    TcpSession ssn;    Packet *p1 = NULL, *p2 = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    HtpState *http_state = NULL;    AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();    memset(&th_v, 0, sizeof(th_v));    memset(&f, 0, sizeof(f));    memset(&ssn, 0, sizeof(ssn));    FLOW_INITIALIZE(&f);    f.protoctx = (void *)&ssn;    f.proto = IPPROTO_TCP;    f.flags |= FLOW_IPV4;    f.alproto = ALPROTO_HTTP;    p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);    p1->flow = &f;    p1->flowflags |= FLOW_PKT_TOSERVER;    p1->flowflags |= FLOW_PKT_ESTABLISHED;    p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;    p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);    p2->flow = &f;    p2->flowflags |= FLOW_PKT_TOCLIENT;    p2->flowflags |= FLOW_PKT_ESTABLISHED;    p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;    StreamTcpInitConfig(TRUE);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "                                   "(flow:to_client; content:/"response_user_agent/"; "                                   "http_cookie; sid:1;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    /* request */    FLOWLOCK_WRLOCK(&f);    int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,                                STREAM_TOSERVER, httpbuf_request,                                httpbuf_request_len);    if (r != 0) {        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);        result = 0;        FLOWLOCK_UNLOCK(&f);        goto end;    }    FLOWLOCK_UNLOCK(&f);    http_state = f.alstate;    if (http_state == NULL) {        printf("no http state: ");        goto end;    }    /* do detect */    SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);    if (PacketAlertCheck(p1, 1)) {        goto end;    }    /* response */    FLOWLOCK_WRLOCK(&f);    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,                            STREAM_TOCLIENT, httpbuf_response,                            httpbuf_response_len);    if (r != 0) {//.........这里部分代码省略.........

static int DetectHttpRequestLineWrapper(const char *sig, const int expectation){    TcpSession ssn;    Packet *p = NULL;    ThreadVars th_v;    DetectEngineCtx *de_ctx = NULL;    DetectEngineThreadCtx *det_ctx = NULL;    HtpState *http_state = NULL;    Flow f;    uint8_t http_buf[] =        "GET /index.html HTTP/1.0/r/n"        "Host: www.openinfosecfoundation.org/r/n"        "User-Agent: This is dummy message body/r/n"        "Content-Type: text/html/r/n"        "/r/n";    uint32_t http_len = sizeof(http_buf) - 1;    AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();    FAIL_IF_NULL(alp_tctx);    memset(&th_v, 0, sizeof(th_v));    memset(&f, 0, sizeof(f));    memset(&ssn, 0, sizeof(ssn));    p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);    FAIL_IF_NULL(p);    FLOW_INITIALIZE(&f);    f.protoctx = (void *)&ssn;    f.proto = IPPROTO_TCP;    f.flags |= FLOW_IPV4;    p->flow = &f;    p->flowflags |= FLOW_PKT_TOSERVER;    p->flowflags |= FLOW_PKT_ESTABLISHED;    p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;    f.alproto = ALPROTO_HTTP;    StreamTcpInitConfig(TRUE);    de_ctx = DetectEngineCtxInit();    FAIL_IF_NULL(de_ctx);    de_ctx->flags |= DE_QUIET;    de_ctx->sig_list = SigInit(de_ctx, sig);    FAIL_IF_NULL(de_ctx->sig_list);    int sid = de_ctx->sig_list->id;    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    int r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);    FAIL_IF(r != 0);    http_state = f.alstate;    FAIL_IF_NULL(http_state);    /* do detect */    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    r = PacketAlertCheck(p, sid);    FAIL_IF_NOT(r == expectation);    AppLayerParserThreadCtxFree(alp_tctx);    DetectEngineCtxFree(de_ctx);    StreamTcpFreeConfig(TRUE);    FLOW_DESTROY(&f);    UTHFreePackets(&p, 1);    PASS;}

int DetectAppLayerEventTest05(void){    int result = 0;    ThreadVars tv;    TcpReassemblyThreadCtx *ra_ctx = NULL;    Packet *p = NULL;    Flow *f = NULL;    TcpSession ssn;    TcpStream stream_ts, stream_tc;    DetectEngineCtx *de_ctx = NULL;    DetectEngineThreadCtx *det_ctx = NULL;    uint8_t buf_ts[] = "GET /index.html HTTP/1.1/r/n"        "Host: 127.0.0.1/r/n"        "User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3/r/n"        "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/r/n"        "Accept-Language: en-us,en;q=0.5/r/n"        "Accept-Encoding: gzip,deflate/r/n"        "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7/r/n"        "Keep-Alive: 115/r/n"        "Connection: keep-alive/r/n"        "/r/n";    /* tls */    uint8_t buf_tc[] = {        0x16, 0x03, 0x01, 0x00, 0x86, 0x10, 0x00, 0x00,        0x82, 0x00, 0x80, 0xd3, 0x6f, 0x1f, 0x63, 0x82,        0x8d, 0x75, 0x77, 0x8c, 0x91, 0xbc, 0xa1, 0x3d,        0xbb, 0xe1, 0xb5, 0xd3, 0x31, 0x92, 0x59, 0x2b,        0x2c, 0x43, 0x96, 0xa3, 0xaa, 0x23, 0x92, 0xd0,        0x91, 0x2a, 0x5e, 0x10, 0x5b, 0xc8, 0xc1, 0xe2,        0xd3, 0x5c, 0x8b, 0x8c, 0x91, 0x9e, 0xc2, 0xf2,        0x9c, 0x3c, 0x4f, 0x37, 0x1e, 0x20, 0x5e, 0x33,        0xd5, 0xf0, 0xd6, 0xaf, 0x89, 0xf5, 0xcc, 0xb2,        0xcf, 0xc1, 0x60, 0x3a, 0x46, 0xd5, 0x4e, 0x2a,        0xb6, 0x6a, 0xb9, 0xfc, 0x32, 0x8b, 0xe0, 0x6e,        0xa0, 0xed, 0x25, 0xa0, 0xa4, 0x82, 0x81, 0x73,        0x90, 0xbf, 0xb5, 0xde, 0xeb, 0x51, 0x8d, 0xde,        0x5b, 0x6f, 0x94, 0xee, 0xba, 0xe5, 0x69, 0xfa,        0x1a, 0x80, 0x30, 0x54, 0xeb, 0x12, 0x01, 0xb9,        0xfe, 0xbf, 0x82, 0x95, 0x01, 0x7b, 0xb0, 0x97,        0x14, 0xc2, 0x06, 0x3c, 0x69, 0xfb, 0x1c, 0x66,        0x47, 0x17, 0xd9, 0x14, 0x03, 0x01, 0x00, 0x01,        0x01, 0x16, 0x03, 0x01, 0x00, 0x30, 0xf6, 0xbc,        0x0d, 0x6f, 0xe8, 0xbb, 0xaa, 0xbf, 0x14, 0xeb,        0x7b, 0xcc, 0x6c, 0x28, 0xb0, 0xfc, 0xa6, 0x01,        0x2a, 0x97, 0x96, 0x17, 0x5e, 0xe8, 0xb4, 0x4e,        0x78, 0xc9, 0x04, 0x65, 0x53, 0xb6, 0x93, 0x3d,        0xeb, 0x44, 0xee, 0x86, 0xf9, 0x80, 0x49, 0x45,        0x21, 0x34, 0xd1, 0xee, 0xc8, 0x9c,    };    memset(&tv, 0, sizeof (ThreadVars));    memset(&ssn, 0, sizeof(TcpSession));    memset(&stream_ts, 0, sizeof(TcpStream));    memset(&stream_tc, 0, sizeof(TcpStream));    ssn.data_first_seen_dir = STREAM_TOSERVER;    de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL)        goto end;    de_ctx->flags |= DE_QUIET;    de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "                               "(app-layer-event: applayer_mismatch_protocol_both_directions; "                               "sid:1;)");    if (de_ctx->sig_list == NULL)        goto end;    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);    f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);    if (f == NULL)        goto end;    FLOW_INITIALIZE(f);    f->protoctx = &ssn;    f->proto = IPPROTO_TCP;    f->flags |= FLOW_IPV4;    p = PacketGetFromAlloc();    if (unlikely(p == NULL))        goto end;    p->flow = f;    p->src.family = AF_INET;    p->dst.family = AF_INET;    p->proto = IPPROTO_TCP;    ra_ctx = StreamTcpReassembleInitThreadCtx(&tv);    if (ra_ctx == NULL)        goto end;    StreamTcpInitConfig(TRUE);    p->flowflags = FLOW_PKT_TOSERVER;    if (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream_ts, buf_ts,                              sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0) {        printf("AppLayerHandleTCPData failure/n");        goto end;    }    SigMatchSignatures(&tv, de_ctx, det_ctx, p);    if (PacketAlertCheck(p, 1)) {        printf("sid 1 matched but shouldn't have/n");//.........这里部分代码省略.........

/** * /test Test packet Matches * /param raw_eth_pkt pointer to the ethernet packet * /param pktsize size of the packet * /param sig pointer to the signature to test * /param sid sid number of the signature * /retval return 1 if match * /retval return 0 if not */int DetectReplaceLongPatternMatchTest(uint8_t *raw_eth_pkt, uint16_t pktsize, char *sig,                                      uint32_t sid, uint8_t *pp, uint16_t *len){    int result = 0;    Packet *p = NULL;    p = SCMalloc(SIZE_OF_PACKET);    if (unlikely(p == NULL))        return 0;    DecodeThreadVars dtv;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    if (pp == NULL) {        SCLogDebug("replace: looks like a second run");    }    memset(p, 0, SIZE_OF_PACKET);    p->pkt = (uint8_t *)(p + 1);    PacketCopyData(p, raw_eth_pkt, pktsize);    memset(&dtv, 0, sizeof(DecodeThreadVars));    memset(&th_v, 0, sizeof(th_v));    FlowInitConfig(FLOW_QUIET);    DecodeEthernet(&th_v, &dtv, p, GET_PKT_DATA(p), pktsize, NULL);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    de_ctx->sig_list = SigInit(de_ctx, sig);    if (de_ctx->sig_list == NULL) {        goto end;    }    de_ctx->sig_list->next = NULL;    if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->type == DETECT_CONTENT) {        DetectContentData *co = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;        if (co->flags & DETECT_CONTENT_RELATIVE_NEXT) {            printf("relative next flag set on final match which is content: ");            goto end;        }    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (PacketAlertCheck(p, sid) != 1) {        SCLogDebug("replace: no alert on sig %d", sid);        goto end;    }    if (pp) {        memcpy(pp, GET_PKT_DATA(p), GET_PKT_LEN(p));        *len = pktsize;        SCLogDebug("replace: copying %d on %p", *len, pp);    }    result = 1;end:    if (de_ctx != NULL)    {        SigGroupCleanup(de_ctx);        SigCleanSignatures(de_ctx);        if (det_ctx != NULL)            DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);        DetectEngineCtxFree(de_ctx);    }    FlowShutdown();    SCFree(p);    return result;}

/** /test simple google.com query matching (TCP splicing) */static int DetectDnsQueryTest04(void){    /* google.com */    uint8_t buf1[] = {  0x00, 28,                        0x10, 0x32, 0x01, 0x00, 0x00, 0x01,                        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, };    uint8_t buf2[] = {  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,                        0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,                        0x00, 0x10, 0x00, 0x01, };    Flow f;    RSDNSState *dns_state = NULL;    Packet *p1 = NULL, *p2 = NULL;    Signature *s = NULL;    ThreadVars tv;    DetectEngineThreadCtx *det_ctx = NULL;    TcpSession ssn;    AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();    memset(&tv, 0, sizeof(ThreadVars));    memset(&f, 0, sizeof(Flow));    memset(&ssn, 0, sizeof(TcpSession));    p1 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_TCP,                           "192.168.1.5", "192.168.1.1",                           41424, 53);    p2 = UTHBuildPacketReal(buf2, sizeof(buf2), IPPROTO_TCP,                           "192.168.1.5", "192.168.1.1",                           41424, 53);    FLOW_INITIALIZE(&f);    f.protoctx = (void *)&ssn;    f.flags |= FLOW_IPV4;    f.proto = IPPROTO_TCP;    f.protomap = FlowGetProtoMapping(f.proto);    f.alproto = ALPROTO_DNS;    p1->flow = &f;    p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;    p1->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;    p2->flow = &f;    p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;    p2->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;    StreamTcpInitConfig(TRUE);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    FAIL_IF_NULL(de_ctx);    de_ctx->mpm_matcher = mpm_default_matcher;    de_ctx->flags |= DE_QUIET;    s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "                              "(msg:/"Test dns_query option/"; "                              "dns_query; content:/"google/"; nocase; sid:1;)");    FAIL_IF_NULL(s);    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);    FLOWLOCK_WRLOCK(&f);    int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,                                STREAM_TOSERVER, buf1, sizeof(buf1));    if (r != 0) {        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);        FLOWLOCK_UNLOCK(&f);        FAIL;    }    FLOWLOCK_UNLOCK(&f);    dns_state = f.alstate;    FAIL_IF_NULL(dns_state);    /* do detect */    SigMatchSignatures(&tv, de_ctx, det_ctx, p1);    if (PacketAlertCheck(p1, 1)) {        printf("sig 1 alerted, but it should not have: ");        FAIL;    }    FLOWLOCK_WRLOCK(&f);    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER,                            buf2, sizeof(buf2));    if (r != 0) {        printf("toserver chunk 1 returned %" PRId32 ", expected 0/n", r);        FLOWLOCK_UNLOCK(&f);        FAIL;    }    FLOWLOCK_UNLOCK(&f);    /* do detect */    SigMatchSignatures(&tv, de_ctx, det_ctx, p2);    if (!(PacketAlertCheck(p2, 1))) {        printf("sig 1 didn't alert, but it should have: ");        FAIL;    }    if (alp_tctx != NULL)//.........这里部分代码省略.........

/** /test Check a signature with an request method and negation of the same */static int DetectHttpMethodSigTest04(void){    int result = 0;    Flow f;    uint8_t httpbuf1[] = "GET / HTTP/1.0/r/n"                         "Host: foo.bar.tld/r/n"                         "/r/n";    uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the /0 */    TcpSession ssn;    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    HtpState *http_state = NULL;    AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();    memset(&th_v, 0, sizeof(th_v));    memset(&f, 0, sizeof(f));    memset(&ssn, 0, sizeof(ssn));    p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);    FLOW_INITIALIZE(&f);    f.protoctx = (void *)&ssn;    f.proto = IPPROTO_TCP;    f.flags |= FLOW_IPV4;    p->flow = &f;    p->flowflags |= FLOW_PKT_TOSERVER;    p->flowflags |= FLOW_PKT_ESTABLISHED;    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;    f.alproto = ALPROTO_HTTP;    StreamTcpInitConfig(TRUE);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,            "alert tcp any any -> any any (msg:/"Testing http_method/"; "            "content:/"GET/"; http_method; sid:1;)");    if (s == NULL) {        goto end;    }    s = s->next = SigInit(de_ctx,            "alert tcp any any -> any any (msg:/"Testing http_method/"; "            "content:!/"GET/"; http_method; sid:2;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    FLOWLOCK_WRLOCK(&f);    int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,                                STREAM_TOSERVER, httpbuf1, httplen1);    if (r != 0) {        SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);        FLOWLOCK_UNLOCK(&f);        goto end;    }    FLOWLOCK_UNLOCK(&f);    http_state = f.alstate;    if (http_state == NULL) {        SCLogDebug("no http state: ");        goto end;    }    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (!(PacketAlertCheck(p, 1))) {        printf("sid 1 didn't match but should have: ");        goto end;    }    if (PacketAlertCheck(p, 2)) {        printf("sid 2 matched but shouldn't have: ");        goto end;    }    result = 1;end:    if (alp_tctx != NULL)        AppLayerParserThreadCtxFree(alp_tctx);    if (de_ctx != NULL) {        SigGroupCleanup(de_ctx);        SigCleanSignatures(de_ctx);    }    if (det_ctx != NULL) {        DetectEngineThreadCtxDeinit(&th_v, (void *) det_ctx);    }    if (de_ctx != NULL) {//.........这里部分代码省略.........

/** /test simple google.com query matching, pcre */static int DetectDnsQueryTest06(void){    /* google.com */    uint8_t buf[] = {   0x10, 0x32, 0x01, 0x00, 0x00, 0x01,                        0x00, 0x00, 0x00, 0x00, 0x00, 0x00,                        0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,                        0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,                        0x00, 0x10, 0x00, 0x01, };    Flow f;    RSDNSState *dns_state = NULL;    Packet *p = NULL;    Signature *s = NULL;    ThreadVars tv;    DetectEngineThreadCtx *det_ctx = NULL;    AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();    memset(&tv, 0, sizeof(ThreadVars));    memset(&f, 0, sizeof(Flow));    p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP,                           "192.168.1.5", "192.168.1.1",                           41424, 53);    FLOW_INITIALIZE(&f);    f.flags |= FLOW_IPV4;    f.proto = IPPROTO_UDP;    f.protomap = FlowGetProtoMapping(f.proto);    p->flow = &f;    p->flags |= PKT_HAS_FLOW;    p->flowflags |= FLOW_PKT_TOSERVER;    f.alproto = ALPROTO_DNS;    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    FAIL_IF_NULL(de_ctx);    de_ctx->mpm_matcher = mpm_default_matcher;    de_ctx->flags |= DE_QUIET;    s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "                              "(msg:/"Test dns_query option/"; "                              "dns_query; content:/"google/"; nocase; "                              "pcre:/"/google//.com$/i/"; sid:1;)");    FAIL_IF_NULL(s);    s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "                                      "(msg:/"Test dns_query option/"; "                                      "dns_query; content:/"google/"; nocase; "                                      "pcre:/"/^//.[a-z]{2,3}$/iR/"; sid:2;)");    FAIL_IF_NULL(s);    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);    FLOWLOCK_WRLOCK(&f);    int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,                                STREAM_TOSERVER, buf, sizeof(buf));    if (r != 0) {        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);        FLOWLOCK_UNLOCK(&f);        FAIL;    }    FLOWLOCK_UNLOCK(&f);    dns_state = f.alstate;    FAIL_IF_NULL(dns_state);    /* do detect */    SigMatchSignatures(&tv, de_ctx, det_ctx, p);    if (!(PacketAlertCheck(p, 1))) {        printf("sig 1 didn't alert, but it should have: ");        FAIL;    }    if (!(PacketAlertCheck(p, 2))) {        printf("sig 2 didn't alert, but it should have: ");        FAIL;    }    if (alp_tctx != NULL)        AppLayerParserThreadCtxFree(alp_tctx);    if (det_ctx != NULL)        DetectEngineThreadCtxDeinit(&tv, det_ctx);    if (de_ctx != NULL)        SigGroupCleanup(de_ctx);    if (de_ctx != NULL)        DetectEngineCtxFree(de_ctx);    FLOW_DESTROY(&f);    UTHFreePacket(p);    PASS;}

/** * /test Used to check the working of recursion_limit counter. */static int PayloadTestSig13(void){    uint8_t *buf = (uint8_t *)"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";    uint16_t buflen = strlen((char *)buf);    Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);    int result = 0;    uint16_t mpm_type = MPM_B2G;    char sig[] = "alert tcp any any -> any any (msg:/"dummy/"; "        "content:/"aa/"; content:/"aa/"; distance:0; content:/"aa/"; distance:0; "        "byte_test:1,>,200,0,relative; sid:1;)";    struct timeval tv_start, tv_end, tv_diff;    gettimeofday(&tv_start, NULL);    do {        DecodeThreadVars dtv;        ThreadVars th_v;        DetectEngineThreadCtx *det_ctx = NULL;        memset(&dtv, 0, sizeof(DecodeThreadVars));        memset(&th_v, 0, sizeof(th_v));        DetectEngineCtx *de_ctx = DetectEngineCtxInit();        if (de_ctx == NULL) {            printf("de_ctx == NULL: ");            goto end;        }        de_ctx->inspection_recursion_limit = 3000;        de_ctx->flags |= DE_QUIET;        de_ctx->mpm_matcher = mpm_type;        de_ctx->sig_list = SigInit(de_ctx, sig);        if (de_ctx->sig_list == NULL) {            printf("signature == NULL: ");            goto end;        }        SigGroupBuild(de_ctx);        DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);        SigMatchSignatures(&th_v, de_ctx, det_ctx, p);        if (PacketAlertCheck(p, de_ctx->sig_list->id) != 1) {            goto end;        }        result = 1;    end:        SigGroupCleanup(de_ctx);        SigCleanSignatures(de_ctx);        if (det_ctx != NULL)            DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);        if (de_ctx != NULL)            DetectEngineCtxFree(de_ctx);    } while (0);    gettimeofday(&tv_end, NULL);    tv_diff.tv_sec = tv_end.tv_sec - tv_start.tv_sec;    tv_diff.tv_usec = tv_end.tv_usec - tv_start.tv_usec;    printf("%ld.%06ld/n", tv_diff.tv_sec, (long int)tv_diff.tv_usec);    result = 1;    if (p != NULL)        UTHFreePacket(p);    return result;}

/** * /test Test that the http_method content matches against a http request *       which holds the content. */static int DetectEngineHttpMethodTest01(void){    TcpSession ssn;    Packet *p = NULL;    ThreadVars th_v;    DetectEngineCtx *de_ctx = NULL;    DetectEngineThreadCtx *det_ctx = NULL;    HtpState *http_state = NULL;    Flow f;    uint8_t http_buf[] =        "GET /index.html HTTP/1.0/r/n"        "Host: www.onetwothreefourfivesixseven.org/r/n/r/n";    uint32_t http_len = sizeof(http_buf) - 1;    int result = 0;    memset(&th_v, 0, sizeof(th_v));    memset(&f, 0, sizeof(f));    memset(&ssn, 0, sizeof(ssn));    p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);    FLOW_INITIALIZE(&f);    f.protoctx = (void *)&ssn;    f.flags |= FLOW_IPV4;    p->flow = &f;    p->flowflags |= FLOW_PKT_TOSERVER;    p->flowflags |= FLOW_PKT_ESTABLISHED;    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;    f.alproto = ALPROTO_HTTP;    StreamTcpInitConfig(TRUE);    de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL)        goto end;    de_ctx->flags |= DE_QUIET;    de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "                               "(msg:/"http header test/"; "                               "content:/"GET/"; http_method; "                               "sid:1;)");    if (de_ctx->sig_list == NULL)        goto end;    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);    if (r != 0) {        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);        result = 0;        goto end;    }    http_state = f.alstate;    if (http_state == NULL) {        printf("no http state: ");        result = 0;        goto end;    }    /* do detect */    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (!(PacketAlertCheck(p, 1))) {        printf("sid 1 didn't match but should have: ");        goto end;    }    result = 1;end:    if (de_ctx != NULL)        SigGroupCleanup(de_ctx);    if (de_ctx != NULL)        SigCleanSignatures(de_ctx);    if (de_ctx != NULL)        DetectEngineCtxFree(de_ctx);    StreamTcpFreeConfig(TRUE);    FLOW_DESTROY(&f);    UTHFreePackets(&p, 1);    return result;}

/** /test Send a get request in three chunks + more data. */static int DetectSshVersionTestDetect03(void){    int result = 0;    Flow f;    uint8_t sshbuf1[] = "SSH-1.";    uint32_t sshlen1 = sizeof(sshbuf1) - 1;    uint8_t sshbuf2[] = "7-PuTTY_2.123" ;    uint32_t sshlen2 = sizeof(sshbuf2) - 1;    uint8_t sshbuf3[] = "/n";    uint32_t sshlen3 = sizeof(sshbuf3) - 1;    uint8_t sshbuf4[] = "whatever...";    uint32_t sshlen4 = sizeof(sshbuf4) - 1;    TcpSession ssn;    Packet *p = NULL;    Signature *s = NULL;    ThreadVars th_v;    DetectEngineThreadCtx *det_ctx = NULL;    AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();    memset(&th_v, 0, sizeof(th_v));    memset(&f, 0, sizeof(f));    memset(&ssn, 0, sizeof(ssn));    p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);    FLOW_INITIALIZE(&f);    f.protoctx = (void *)&ssn;    p->flow = &f;    p->flowflags |= FLOW_PKT_TOSERVER;    p->flowflags |= FLOW_PKT_ESTABLISHED;    p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;    f.alproto = ALPROTO_SSH;    f.proto = IPPROTO_TCP;    StreamTcpInitConfig(TRUE);    DetectEngineCtx *de_ctx = DetectEngineCtxInit();    if (de_ctx == NULL) {        goto end;    }    de_ctx->flags |= DE_QUIET;    s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:/"SSH/"; ssh.protoversion:2_compat; sid:1;)");    if (s == NULL) {        goto end;    }    SigGroupBuild(de_ctx);    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);    FLOWLOCK_WRLOCK(&f);    int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH,                                STREAM_TOSERVER, sshbuf1, sshlen1);    if (r != 0) {        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);        FLOWLOCK_UNLOCK(&f);        goto end;    }    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH, STREAM_TOSERVER,                            sshbuf2, sshlen2);    if (r != 0) {        printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);        FLOWLOCK_UNLOCK(&f);        goto end;    }    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH, STREAM_TOSERVER,                            sshbuf3, sshlen3);    if (r != 0) {        printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);        FLOWLOCK_UNLOCK(&f);        goto end;    }    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH, STREAM_TOSERVER,                            sshbuf4, sshlen4);    if (r != 0) {        printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);        FLOWLOCK_UNLOCK(&f);        goto end;    }    FLOWLOCK_UNLOCK(&f);    SshState *ssh_state = f.alstate;    if (ssh_state == NULL) {        printf("no ssh state: ");        goto end;    }    /* do detect */    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);    if (PacketAlertCheck(p, 1)) {        printf("Error, 1.7 version is not 2 compat, so the sig should not match: ");        goto end;    }//.........这里部分代码省略.........