BIT-844: fix UDP payload signatures to match packet-wise

2025-10-13 03:58:20 +00:00 · 2015-04-06 15:22:26 -05:00 · 2015-04-06 15:22:26 -05:00 · 56a7bf7936
commit 56a7bf7936
parent 1a42296389
6 changed files with 72 additions and 12 deletions
--- a/testing/btest/Baseline/signatures.udp-packetwise-match/out
+++ b/testing/btest/Baseline/signatures.udp-packetwise-match/out
@ -0,0 +1,6 @@
+signature match, Found XXXX, XXXX
+signature match, Found ^XXXX, XXXX
+signature match, Found .*XXXX, XXXX
+signature match, Found YYYY, YYYY
+signature match, Found ^YYYY, YYYY
+signature match, Found .*YYYY, YYYY
--- a/testing/btest/Traces/udp-signature-test.pcap
+++ b/testing/btest/Traces/udp-signature-test.pcap
--- a/testing/btest/signatures/udp-packetwise-match.bro
+++ b/testing/btest/signatures/udp-packetwise-match.bro
@ -0,0 +1,53 @@
+# @TEST-EXEC: bro -r $TRACES/udp-signature-test.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+@load-sigs test.sig
+
+@TEST-START-FILE test.sig
+signature xxxx {
+ ip-proto = udp
+ payload /XXXX/
+ event "Found XXXX"
+}
+
+signature axxxx {
+ ip-proto = udp
+ payload /^XXXX/
+ event "Found ^XXXX"
+}
+
+signature sxxxx {
+ ip-proto = udp
+ payload /.*XXXX/
+ event "Found .*XXXX"
+}
+
+signature yyyy {
+ ip-proto = udp
+ payload /YYYY/
+ event "Found YYYY"
+}
+
+signature ayyyy {
+ ip-proto = udp
+ payload /^YYYY/
+ event "Found ^YYYY"
+}
+
+signature syyyy {
+ ip-proto = udp
+ payload /.*YYYY/
+ event "Found .*YYYY"
+}
+
+signature nope {
+ ip-proto = udp
+ payload /.*nope/
+ event "Found .*nope"
+}
+@TEST-END-FILE
+
+event signature_match(state: signature_state, msg: string, data: string)
+	{
+	print "signature match", msg, data;
+	}