diff --git a/CHANGES b/CHANGES index e051516cd9..0b84f59178 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,28 @@ +2.1-82 | 2012-10-19 15:05:40 -0700 + + * Add IPv6 support to signature header conditions. (Jon Siwek) + + - "src-ip" and "dst-ip" conditions can now use IPv6 addresses/subnets. + They must be written in colon-hexadecimal representation and enclosed + in square brackets (e.g. [fe80::1]). Addresses #774. + + - "icmp6" is now a valid protocol for use with "ip-proto" and "header" + conditions. This allows signatures to be written that can match + against ICMPv6 payloads. Addresses #880. + + - "ip6" is now a valid protocol for use with the "header" condition. + (also the "ip-proto" condition, but it results in a no-op in that + case since signatures apply only to the inner-most IP packet when + packets are tunneled). This allows signatures to match specifically + against IPv6 packets (whereas "ip" only matches against IPv4 packets). + + - "ip-proto" conditions can now match against IPv6 packets. Before, + IPv6 packets were just silently ignored which meant DPD based on + signatures did not function for IPv6 -- protocol analyzers would only + get attached to a connection over IPv6 based on the well-known ports + set in the "dpd_config" table. + 2.1-80 | 2012-10-19 14:48:42 -0700 * Change how "gridftp" gets added to service field of connection diff --git a/VERSION b/VERSION index 91171a8103..a6d8fd0427 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-80 +2.1-82 diff --git a/aux/broctl b/aux/broctl index b8cbd5a46f..3d7c2d61e6 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit b8cbd5a46fd275c900b5c67f4c6abd5785b83a8a +Subproject commit 3d7c2d61e63d7d51c455363cdfe9373e4e680b89 diff --git a/doc/signatures.rst b/doc/signatures.rst index 36099ba40f..59ca819636 100644 --- a/doc/signatures.rst +++ b/doc/signatures.rst @@ -83,9 +83,8 @@ Header Conditions ~~~~~~~~~~~~~~~~~ Header conditions limit the applicability of the signature to a subset -of traffic that contains matching packet headers. For TCP, this match -is performed only for the first packet of a connection. For other -protocols, it is done on each individual packet. +of traffic that contains matching packet headers. This type of matching +is performed only for the first packet of a connection. There are pre-defined header conditions for some of the most used header fields. All of them generally have the format `` @@ -95,14 +94,22 @@ one of ``==``, ``!=``, ``<``, ``<=``, ``>``, ``>=``; and against. The following keywords are defined: ``src-ip``/``dst-ip `` - Source and destination address, respectively. Addresses can be - given as IP addresses or CIDR masks. + Source and destination address, respectively. Addresses can be given + as IPv4 or IPv6 addresses or CIDR masks. For IPv6 addresses/masks + the colon-hexadecimal representation of the address must be enclosed + in square brackets (e.g. ``[fe80::1]`` or ``[fe80::0]/16``). -``src-port``/``dst-port`` ```` +``src-port``/``dst-port `` Source and destination port, respectively. -``ip-proto tcp|udp|icmp`` - IP protocol. +``ip-proto tcp|udp|icmp|icmp6|ip|ip6`` + IPv4 header's Protocol field or the Next Header field of the final + IPv6 header (i.e. either Next Header field in the fixed IPv6 header + if no extension headers are present or that field from the last + extension header in the chain). Note that the IP-in-IP forms of + tunneling are automatically decapsulated by default and signatures + apply to only the inner-most packet, so specifying ``ip`` or ``ip6`` + is a no-op. For lists of multiple values, they are sequentially compared against the corresponding header field. If at least one of the comparisons @@ -116,20 +123,22 @@ condition can be defined either as header [:] [& ] -This compares the value found at the given position of the packet -header with a list of values. ``offset`` defines the position of the -value within the header of the protocol defined by ``proto`` (which -can be ``ip``, ``tcp``, ``udp`` or ``icmp``). ``size`` is either 1, 2, -or 4 and specifies the value to have a size of this many bytes. If the -optional ``& `` is given, the packet's value is first masked -with the integer before it is compared to the value-list. ``cmp`` is -one of ``==``, ``!=``, ``<``, ``<=``, ``>``, ``>=``. ``value-list`` is -a list of comma-separated integers similar to those described above. -The integers within the list may be followed by an additional ``/ -mask`` where ``mask`` is a value from 0 to 32. This corresponds to the -CIDR notation for netmasks and is translated into a corresponding -bitmask applied to the packet's value prior to the comparison (similar -to the optional ``& integer``). +This compares the value found at the given position of the packet header +with a list of values. ``offset`` defines the position of the value +within the header of the protocol defined by ``proto`` (which can be +``ip``, ``ip6``, ``tcp``, ``udp``, ``icmp`` or ``icmp6``). ``size`` is +either 1, 2, or 4 and specifies the value to have a size of this many +bytes. If the optional ``& `` is given, the packet's value is +first masked with the integer before it is compared to the value-list. +``cmp`` is one of ``==``, ``!=``, ``<``, ``<=``, ``>``, ``>=``. +``value-list`` is a list of comma-separated integers similar to those +described above. The integers within the list may be followed by an +additional ``/ mask`` where ``mask`` is a value from 0 to 32. This +corresponds to the CIDR notation for netmasks and is translated into a +corresponding bitmask applied to the packet's value prior to the +comparison (similar to the optional ``& integer``). IPv6 address values +are not allowed in the value-list, though you can still inspect any 1, +2, or 4 byte section of an IPv6 header using this keyword. Putting it all together, this is an example condition that is equivalent to ``dst-ip == 1.2.3.4/16, 5.6.7.8/24``: @@ -138,8 +147,8 @@ equivalent to ``dst-ip == 1.2.3.4/16, 5.6.7.8/24``: header ip[16:4] == 1.2.3.4/16, 5.6.7.8/24 -Internally, the predefined header conditions are in fact just -short-cuts and mapped into a generic condition. +Note that the analogous example for IPv6 isn't currently possible since +4 bytes is the max width of a value that can be compared. Content Conditions ~~~~~~~~~~~~~~~~~~ diff --git a/src/IPAddr.h b/src/IPAddr.h index f664f649f9..6d26ef3fa8 100644 --- a/src/IPAddr.h +++ b/src/IPAddr.h @@ -342,6 +342,21 @@ public: return memcmp(&addr1.in6, &addr2.in6, sizeof(in6_addr)) < 0; } + friend bool operator<=(const IPAddr& addr1, const IPAddr& addr2) + { + return addr1 < addr2 || addr1 == addr2; + } + + friend bool operator>=(const IPAddr& addr1, const IPAddr& addr2) + { + return ! ( addr1 < addr2 ); + } + + friend bool operator>(const IPAddr& addr1, const IPAddr& addr2) + { + return ! ( addr1 <= addr2 ); + } + /** Converts the address into the type used internally by the * inter-thread communication. */ @@ -583,6 +598,11 @@ public: return net1.Prefix() == net2.Prefix() && net1.Length() == net2.Length(); } + friend bool operator!=(const IPPrefix& net1, const IPPrefix& net2) + { + return ! (net1 == net2); + } + /** * Comparison operator IP prefixes. This defines a well-defined order for * IP prefix. However, the order does not necessarily corresponding to their @@ -600,6 +620,21 @@ public: return false; } + friend bool operator<=(const IPPrefix& net1, const IPPrefix& net2) + { + return net1 < net2 || net1 == net2; + } + + friend bool operator>=(const IPPrefix& net1, const IPPrefix& net2) + { + return ! (net1 < net2 ); + } + + friend bool operator>(const IPPrefix& net1, const IPPrefix& net2) + { + return ! ( net1 <= net2 ); + } + private: IPAddr prefix; // We store it as an address with the non-prefix bits masked out via Mask(). uint8_t length; // The bit length of the prefix relative to full IPv6 addr. diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index c9cf1f5c11..c71f86108a 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -1,4 +1,5 @@ #include +#include #include "config.h" @@ -41,6 +42,23 @@ RuleHdrTest::RuleHdrTest(Prot arg_prot, uint32 arg_offset, uint32 arg_size, level = 0; } +RuleHdrTest::RuleHdrTest(Prot arg_prot, Comp arg_comp, vector arg_v) + { + prot = arg_prot; + offset = 0; + size = 0; + comp = arg_comp; + vals = new maskedvalue_list; + prefix_vals = arg_v; + sibling = 0; + child = 0; + pattern_rules = 0; + pure_rules = 0; + ruleset = new IntSet; + id = ++idcounter; + level = 0; + } + Val* RuleMatcher::BuildRuleStateValue(const Rule* rule, const RuleEndpointState* state) const { @@ -63,6 +81,8 @@ RuleHdrTest::RuleHdrTest(RuleHdrTest& h) loop_over_list(*h.vals, i) vals->append(new MaskedValue(*(*h.vals)[i])); + prefix_vals = h.prefix_vals; + for ( int j = 0; j < Rule::TYPES; ++j ) { loop_over_list(h.psets[j], k) @@ -114,6 +134,10 @@ bool RuleHdrTest::operator==(const RuleHdrTest& h) (*vals)[i]->mask != (*h.vals)[i]->mask ) return false; + for ( size_t i = 0; i < prefix_vals.size(); ++i ) + if ( ! (prefix_vals[i] == h.prefix_vals[i]) ) + return false; + return true; } @@ -129,6 +153,9 @@ void RuleHdrTest::PrintDebug() fprintf(stderr, " 0x%08x/0x%08x", (*vals)[i]->val, (*vals)[i]->mask); + for ( size_t i = 0; i < prefix_vals.size(); ++i ) + fprintf(stderr, " %s", prefix_vals[i].AsString().c_str()); + fprintf(stderr, "\n"); } @@ -410,29 +437,129 @@ static inline uint32 getval(const u_char* data, int size) } -// A line which can be inserted into the macros below for debugging -// fprintf(stderr, "%.06f %08x & %08x %s %08x\n", network_time, v, (mvals)[i]->mask, #op, (mvals)[i]->val); - // Evaluate a value list (matches if at least one value matches). -#define DO_MATCH_OR( mvals, v, op ) \ - { \ - loop_over_list((mvals), i) \ - { \ - if ( ((v) & (mvals)[i]->mask) op (mvals)[i]->val ) \ - goto match; \ - } \ - goto no_match; \ +template +static inline bool match_or(const maskedvalue_list& mvals, uint32 v, FuncT comp) + { + loop_over_list(mvals, i) + { + if ( comp(v & mvals[i]->mask, mvals[i]->val) ) + return true; + } + return false; + } + +// Evaluate a prefix list (matches if at least one value matches). +template +static inline bool match_or(const vector& prefixes, const IPAddr& a, + FuncT comp) + { + for ( size_t i = 0; i < prefixes.size(); ++i ) + { + IPAddr masked(a); + masked.Mask(prefixes[i].LengthIPv6()); + if ( comp(masked, prefixes[i].Prefix()) ) + return true; + } + return false; } // Evaluate a value list (doesn't match if any value matches). -#define DO_MATCH_NOT_AND( mvals, v, op ) \ - { \ - loop_over_list((mvals), i) \ - { \ - if ( ((v) & (mvals)[i]->mask) op (mvals)[i]->val ) \ - goto no_match; \ - } \ - goto match; \ +template +static inline bool match_not_and(const maskedvalue_list& mvals, uint32 v, + FuncT comp) + { + loop_over_list(mvals, i) + { + if ( comp(v & mvals[i]->mask, mvals[i]->val) ) + return false; + } + return true; + } + +// Evaluate a prefix list (doesn't match if any value matches). +template +static inline bool match_not_and(const vector& prefixes, + const IPAddr& a, FuncT comp) + { + for ( size_t i = 0; i < prefixes.size(); ++i ) + { + IPAddr masked(a); + masked.Mask(prefixes[i].LengthIPv6()); + if ( comp(masked, prefixes[i].Prefix()) ) + return false; + } + return true; + } + +static inline bool compare(const maskedvalue_list& mvals, uint32 v, + RuleHdrTest::Comp comp) + { + switch ( comp ) { + case RuleHdrTest::EQ: + return match_or(mvals, v, std::equal_to()); + break; + + case RuleHdrTest::NE: + return match_not_and(mvals, v, std::equal_to()); + break; + + case RuleHdrTest::LT: + return match_or(mvals, v, std::less()); + break; + + case RuleHdrTest::GT: + return match_or(mvals, v, std::greater()); + break; + + case RuleHdrTest::LE: + return match_or(mvals, v, std::less_equal()); + break; + + case RuleHdrTest::GE: + return match_or(mvals, v, std::greater_equal()); + break; + + default: + reporter->InternalError("unknown comparison type"); + break; + } + return false; + } + +static inline bool compare(const vector& prefixes, const IPAddr& a, + RuleHdrTest::Comp comp) + { + switch ( comp ) { + case RuleHdrTest::EQ: + return match_or(prefixes, a, std::equal_to()); + break; + + case RuleHdrTest::NE: + return match_not_and(prefixes, a, std::equal_to()); + break; + + case RuleHdrTest::LT: + return match_or(prefixes, a, std::less()); + break; + + case RuleHdrTest::GT: + return match_or(prefixes, a, std::greater()); + break; + + case RuleHdrTest::LE: + return match_or(prefixes, a, std::less_equal()); + break; + + case RuleHdrTest::GE: + return match_or(prefixes, a, std::greater_equal()); + break; + + default: + reporter->InternalError("unknown comparison type"); + break; + } + return false; } RuleEndpointState* RuleMatcher::InitEndpoint(Analyzer* analyzer, @@ -492,66 +619,54 @@ RuleEndpointState* RuleMatcher::InitEndpoint(Analyzer* analyzer, if ( ip ) { - // Get start of transport layer. - const u_char* transport = ip->Payload(); - // Descend the RuleHdrTest tree further. for ( RuleHdrTest* h = hdr_test->child; h; h = h->sibling ) { - const u_char* data; + bool match = false; // Evaluate the header test. switch ( h->prot ) { + case RuleHdrTest::NEXT: + match = compare(*h->vals, ip->NextProto(), h->comp); + break; + case RuleHdrTest::IP: - data = (const u_char*) ip->IP4_Hdr(); + if ( ! ip->IP4_Hdr() ) + continue; + + match = compare(*h->vals, getval((const u_char*)ip->IP4_Hdr() + h->offset, h->size), h->comp); + break; + + case RuleHdrTest::IPv6: + if ( ! ip->IP6_Hdr() ) + continue; + + match = compare(*h->vals, getval((const u_char*)ip->IP6_Hdr() + h->offset, h->size), h->comp); break; case RuleHdrTest::ICMP: + case RuleHdrTest::ICMPv6: case RuleHdrTest::TCP: case RuleHdrTest::UDP: - data = transport; + match = compare(*h->vals, getval(ip->Payload() + h->offset, h->size), h->comp); + break; + + case RuleHdrTest::IPSrc: + match = compare(h->prefix_vals, ip->IPHeaderSrcAddr(), h->comp); + break; + + case RuleHdrTest::IPDst: + match = compare(h->prefix_vals, ip->IPHeaderDstAddr(), h->comp); break; default: - data = 0; reporter->InternalError("unknown protocol"); + break; } - // ### data can be nil here if it's an - // IPv6 packet and we're doing an IP test. - if ( ! data ) - continue; - - // Sorry for the hidden gotos :-) - switch ( h->comp ) { - case RuleHdrTest::EQ: - DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), ==); - - case RuleHdrTest::NE: - DO_MATCH_NOT_AND(*h->vals, getval(data + h->offset, h->size), ==); - - case RuleHdrTest::LT: - DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), <); - - case RuleHdrTest::GT: - DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), >); - - case RuleHdrTest::LE: - DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), <=); - - case RuleHdrTest::GE: - DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), >=); - - default: - reporter->InternalError("unknown comparision type"); - } - -no_match: - continue; - -match: - tests.append(h); + if ( match ) + tests.append(h); } } } @@ -1028,7 +1143,7 @@ void RuleMatcher::DumpStateStats(BroFile* f, RuleHdrTest* hdr_test) Rule* r = Rule::rule_table[set->ids[k] - 1]; f->Write(fmt("%s ", r->ID())); } - + f->Write("\n"); } } @@ -1050,8 +1165,11 @@ static Val* get_bro_val(const char* label) } -// Converts an atomic Val and appends it to the list -static bool val_to_maskedval(Val* v, maskedvalue_list* append_to) +// Converts an atomic Val and appends it to the list. For subnet types, +// if the prefix_vector param isn't null, appending to that is preferred +// over appending to the masked val list. +static bool val_to_maskedval(Val* v, maskedvalue_list* append_to, + vector* prefix_vector) { MaskedValue* mval = new MaskedValue; @@ -1071,29 +1189,37 @@ static bool val_to_maskedval(Val* v, maskedvalue_list* append_to) case TYPE_SUBNET: { - const uint32* n; - uint32 m[4]; - v->AsSubNet().Prefix().GetBytes(&n); - v->AsSubNetVal()->Mask().CopyIPv6(m); - - for ( unsigned int i = 0; i < 4; ++i ) - m[i] = ntohl(m[i]); - - bool is_v4_mask = m[0] == 0xffffffff && - m[1] == m[0] && m[2] == m[0]; - - if ( v->AsSubNet().Prefix().GetFamily() == IPv4 && - is_v4_mask ) + if ( prefix_vector ) { - mval->val = ntohl(*n); - mval->mask = m[3]; + prefix_vector->push_back(v->AsSubNet()); + delete mval; + return true; } - else { - rules_error("IPv6 subnets not supported"); - mval->val = 0; - mval->mask = 0; + const uint32* n; + uint32 m[4]; + v->AsSubNet().Prefix().GetBytes(&n); + v->AsSubNetVal()->Mask().CopyIPv6(m); + + for ( unsigned int i = 0; i < 4; ++i ) + m[i] = ntohl(m[i]); + + bool is_v4_mask = m[0] == 0xffffffff && + m[1] == m[0] && m[2] == m[0]; + + + if ( v->AsSubNet().Prefix().GetFamily() == IPv4 && is_v4_mask ) + { + mval->val = ntohl(*n); + mval->mask = m[3]; + } + else + { + rules_error("IPv6 subnets not supported"); + mval->val = 0; + mval->mask = 0; + } } } break; @@ -1108,7 +1234,8 @@ static bool val_to_maskedval(Val* v, maskedvalue_list* append_to) return true; } -void id_to_maskedvallist(const char* id, maskedvalue_list* append_to) +void id_to_maskedvallist(const char* id, maskedvalue_list* append_to, + vector* prefix_vector) { Val* v = get_bro_val(id); if ( ! v ) @@ -1118,7 +1245,7 @@ void id_to_maskedvallist(const char* id, maskedvalue_list* append_to) { val_list* vals = v->AsTableVal()->ConvertToPureList()->Vals(); loop_over_list(*vals, i ) - if ( ! val_to_maskedval((*vals)[i], append_to) ) + if ( ! val_to_maskedval((*vals)[i], append_to, prefix_vector) ) { delete_vals(vals); return; @@ -1128,7 +1255,7 @@ void id_to_maskedvallist(const char* id, maskedvalue_list* append_to) } else - val_to_maskedval(v, append_to); + val_to_maskedval(v, append_to, prefix_vector); } char* id_to_str(const char* id) diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h index 5bba69e130..b8895513b4 100644 --- a/src/RuleMatcher.h +++ b/src/RuleMatcher.h @@ -2,7 +2,9 @@ #define sigs_h #include +#include +#include "IPAddr.h" #include "BroString.h" #include "List.h" #include "RE.h" @@ -59,17 +61,19 @@ declare(PList, BroString); typedef PList(BroString) bstr_list; // Get values from Bro's script-level variables. -extern void id_to_maskedvallist(const char* id, maskedvalue_list* append_to); +extern void id_to_maskedvallist(const char* id, maskedvalue_list* append_to, + vector* prefix_vector = 0); extern char* id_to_str(const char* id); extern uint32 id_to_uint(const char* id); class RuleHdrTest { public: enum Comp { LE, GE, LT, GT, EQ, NE }; - enum Prot { NOPROT, IP, ICMP, TCP, UDP }; + enum Prot { NOPROT, IP, IPv6, ICMP, ICMPv6, TCP, UDP, NEXT, IPSrc, IPDst }; RuleHdrTest(Prot arg_prot, uint32 arg_offset, uint32 arg_size, Comp arg_comp, maskedvalue_list* arg_vals); + RuleHdrTest(Prot arg_prot, Comp arg_comp, vector arg_v); ~RuleHdrTest(); void PrintDebug(); @@ -86,6 +90,7 @@ private: Prot prot; Comp comp; maskedvalue_list* vals; + vector prefix_vals; // for use with IPSrc/IPDst comparisons uint32 offset; uint32 size; diff --git a/src/rule-parse.y b/src/rule-parse.y index c8770c3e22..47346eb7b9 100644 --- a/src/rule-parse.y +++ b/src/rule-parse.y @@ -1,13 +1,30 @@ %{ #include +#include +#include +#include "config.h" #include "RuleMatcher.h" #include "Reporter.h" +#include "IPAddr.h" +#include "net_util.h" extern void begin_PS(); extern void end_PS(); Rule* current_rule = 0; const char* current_rule_file = 0; + +static uint8_t mask_to_len(uint32_t mask) + { + if ( mask == 0xffffffff ) + return 32; + + uint32_t x = ~mask + 1; + uint8_t len; + for ( len = 0; len < 32 && (! (x & (1 << len))); ++len ); + + return len; + } %} %token TOK_COMP @@ -21,6 +38,7 @@ const char* current_rule_file = 0; %token TOK_IDENT %token TOK_INT %token TOK_IP +%token TOK_IP6 %token TOK_IP_OPTIONS %token TOK_IP_OPTION_SYM %token TOK_IP_PROTO @@ -49,7 +67,9 @@ const char* current_rule_file = 0; %type hdr_expr %type range rangeopt %type value_list +%type prefix_value_list %type TOK_IP value +%type TOK_IP6 prefix_value %type TOK_PROT %type TOK_PATTERN_TYPE @@ -57,6 +77,8 @@ const char* current_rule_file = 0; Rule* rule; RuleHdrTest* hdr_test; maskedvalue_list* vallist; + vector* prefix_val_list; + IPPrefix* prefixval; bool bl; int val; @@ -91,11 +113,11 @@ rule_attr_list: ; rule_attr: - TOK_DST_IP TOK_COMP value_list + TOK_DST_IP TOK_COMP prefix_value_list { current_rule->AddHdrTest(new RuleHdrTest( - RuleHdrTest::IP, 16, 4, - (RuleHdrTest::Comp) $2, $3)); + RuleHdrTest::IPDst, + (RuleHdrTest::Comp) $2, *($3))); } | TOK_DST_PORT TOK_COMP value_list @@ -123,10 +145,14 @@ rule_attr: { int proto = 0; switch ( $3 ) { - case RuleHdrTest::ICMP: proto = 1; break; + case RuleHdrTest::ICMP: proto = IPPROTO_ICMP; break; + case RuleHdrTest::ICMPv6: proto = IPPROTO_ICMPV6; break; + // signature matching against outer packet headers of IP-in-IP + // tunneling not supported, so do a no-op there case RuleHdrTest::IP: proto = 0; break; - case RuleHdrTest::TCP: proto = 6; break; - case RuleHdrTest::UDP: proto = 17; break; + case RuleHdrTest::IPv6: proto = 0; break; + case RuleHdrTest::TCP: proto = IPPROTO_TCP; break; + case RuleHdrTest::UDP: proto = IPPROTO_UDP; break; default: rules_error("internal_error: unknown protocol"); } @@ -140,16 +166,20 @@ rule_attr: val->mask = 0xffffffff; vallist->append(val); + // offset & size params are dummies, actual next proto value in + // header is retrieved dynamically via IP_Hdr::NextProto() current_rule->AddHdrTest(new RuleHdrTest( - RuleHdrTest::IP, 9, 1, + RuleHdrTest::NEXT, 0, 0, (RuleHdrTest::Comp) $2, vallist)); } } | TOK_IP_PROTO TOK_COMP value_list { + // offset & size params are dummies, actual next proto value in + // header is retrieved dynamically via IP_Hdr::NextProto() current_rule->AddHdrTest(new RuleHdrTest( - RuleHdrTest::IP, 9, 1, + RuleHdrTest::NEXT, 0, 0, (RuleHdrTest::Comp) $2, $3)); } @@ -193,11 +223,11 @@ rule_attr: | TOK_SAME_IP { current_rule->AddCondition(new RuleConditionSameIP()); } - | TOK_SRC_IP TOK_COMP value_list + | TOK_SRC_IP TOK_COMP prefix_value_list { current_rule->AddHdrTest(new RuleHdrTest( - RuleHdrTest::IP, 12, 4, - (RuleHdrTest::Comp) $2, $3)); + RuleHdrTest::IPSrc, + (RuleHdrTest::Comp) $2, *($3))); } | TOK_SRC_PORT TOK_COMP value_list @@ -254,6 +284,38 @@ value_list: } ; +prefix_value_list: + prefix_value_list ',' prefix_value + { + $$ = $1; + $$->push_back(*($3)); + } + | prefix_value_list ',' TOK_IDENT + { + $$ = $1; + id_to_maskedvallist($3, 0, $1); + } + | prefix_value + { + $$ = new vector(); + $$->push_back(*($1)); + } + | TOK_IDENT + { + $$ = new vector(); + id_to_maskedvallist($1, 0, $$); + } + ; + +prefix_value: + TOK_IP + { + $$ = new IPPrefix(IPAddr(IPv4, &($1.val), IPAddr::Host), + mask_to_len($1.mask)); + } + | TOK_IP6 + ; + value: TOK_INT { $$.val = $1; $$.mask = 0xffffffff; } diff --git a/src/rule-scan.l b/src/rule-scan.l index 781c477ff2..d516a98e89 100644 --- a/src/rule-scan.l +++ b/src/rule-scan.l @@ -1,24 +1,38 @@ %{ -typedef unsigned int uint32; - #include +#include #include #include #include #include #include "RuleMatcher.h" +#include "IPAddr.h" +#include "util.h" #include "rule-parse.h" int rules_line_number = 0; + +static string extract_ipv6(string s) + { + if ( s.substr(0, 3) == "[0x" ) + s = s.substr(3, s.find("]") - 3); + else + s = s.substr(1, s.find("]") - 1); + + return s; + } %} %x PS +OWS [ \t]* WS [ \t]+ D [0-9]+ H [0-9a-fA-F]+ +HEX {H} STRING \"([^\n\"]|\\\")*\" ID ([0-9a-zA-Z_-]+::)*[0-9a-zA-Z_-]+ +IP6 ("["({HEX}:){7}{HEX}"]")|("["0x{HEX}({HEX}|:)*"::"({HEX}|:)*"]")|("["({HEX}|:)*"::"({HEX}|:)*"]")|("["({HEX}|:)*"::"({HEX}|:)*({D}"."){3}{D}"]") RE \/(\\\/)?([^/]|[^\\]\\\/)*\/ META \.[^ \t]+{WS}[^\n]+ PID ([0-9a-zA-Z_-]|"::")+ @@ -34,6 +48,19 @@ PID ([0-9a-zA-Z_-]|"::")+ \n ++rules_line_number; } +{IP6} { + rules_lval.prefixval = new IPPrefix(IPAddr(extract_ipv6(yytext)), 128); + return TOK_IP6; + } + +{IP6}{OWS}"/"{OWS}{D} { + char* l = strchr(yytext, '/'); + *l++ = '\0'; + int len = atoi(l); + rules_lval.prefixval = new IPPrefix(IPAddr(extract_ipv6(yytext)), len); + return TOK_IP6; + } + [!\]\[{}&:,] return rules_text[0]; "<=" { rules_lval.val = RuleHdrTest::LE; return TOK_COMP; } @@ -45,7 +72,9 @@ PID ([0-9a-zA-Z_-]|"::")+ "!=" { rules_lval.val = RuleHdrTest::NE; return TOK_COMP; } ip { rules_lval.val = RuleHdrTest::IP; return TOK_PROT; } +ip6 { rules_lval.val = RuleHdrTest::IPv6; return TOK_PROT; } icmp { rules_lval.val = RuleHdrTest::ICMP; return TOK_PROT; } +icmp6 { rules_lval.val = RuleHdrTest::ICMPv6; return TOK_PROT; } tcp { rules_lval.val = RuleHdrTest::TCP; return TOK_PROT; } udp { rules_lval.val = RuleHdrTest::UDP; return TOK_PROT; } @@ -123,7 +152,7 @@ http { rules_lval.val = Rule::HTTP_REQUEST; return TOK_PATTERN_TYPE; } ftp { rules_lval.val = Rule::FTP; return TOK_PATTERN_TYPE; } finger { rules_lval.val = Rule::FINGER; return TOK_PATTERN_TYPE; } -{D}("."{D}){3}"/"{D} { +{D}("."{D}){3}{OWS}"/"{OWS}{D} { char* s = strchr(yytext, '/'); *s++ = '\0'; diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out new file mode 100644 index 0000000000..abb41f330c --- /dev/null +++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out @@ -0,0 +1,79 @@ +dpd_config, { + +} +signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client +ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready. +ftp_request 141.142.220.235:50003 - USER anonymous +ftp_reply 199.233.217.249:21 - 331 Guest login ok, type your name as password. +signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_server +ftp_request 141.142.220.235:50003 - PASS test +ftp_reply 199.233.217.249:21 - 230 +ftp_reply 199.233.217.249:21 - 0 The NetBSD Project FTP Server located in Redwood City, CA, USA +ftp_reply 199.233.217.249:21 - 0 1 Gbps connectivity courtesy of , , +ftp_reply 199.233.217.249:21 - 0 Internet Systems Consortium WELCOME! /( )` +ftp_reply 199.233.217.249:21 - 0 \ \___ / | +ftp_reply 199.233.217.249:21 - 0 +--- Currently Supported Platforms ----+ /- _ `-/ ' +ftp_reply 199.233.217.249:21 - 0 | acorn[26,32], algor, alpha, amd64, | (/\/ \ \ /\ +ftp_reply 199.233.217.249:21 - 0 | amiga[,ppc], arc, atari, bebox, | / / | ` \ +ftp_reply 199.233.217.249:21 - 0 | cats, cesfic, cobalt, dreamcast, | O O ) / | +ftp_reply 199.233.217.249:21 - 0 | evb[arm,mips,ppc,sh3], hp[300,700], | `-^--'`< ' +ftp_reply 199.233.217.249:21 - 0 | hpc[arm,mips,sh], i386, | (_.) _ ) / +ftp_reply 199.233.217.249:21 - 0 | ibmnws, iyonix, luna68k, | .___/` / +ftp_reply 199.233.217.249:21 - 0 | mac[m68k,ppc], mipsco, mmeye, | `-----' / +ftp_reply 199.233.217.249:21 - 0 | mvme[m68k,ppc], netwinders, | <----. __ / __ \ +ftp_reply 199.233.217.249:21 - 0 | news[m68k,mips], next68k, ofppc, | <----|====O)))==) \) /==== +ftp_reply 199.233.217.249:21 - 0 | playstation2, pmax, prep, sandpoint, | <----' `--' `.__,' \ +ftp_reply 199.233.217.249:21 - 0 | sbmips, sgimips, shark, sparc[,64], | | | +ftp_reply 199.233.217.249:21 - 0 | sun[2,3], vax, x68k, xen | \ / +ftp_reply 199.233.217.249:21 - 0 +--------------------------------------+ ______( (_ / \_____ +ftp_reply 199.233.217.249:21 - 0 See our website at http://www.NetBSD.org/ ,' ,-----' | \ +ftp_reply 199.233.217.249:21 - 0 We log all FTP transfers and commands. `--{__________) (FL) \/ +ftp_reply 199.233.217.249:21 - 0 230- +ftp_reply 199.233.217.249:21 - 0 EXPORT NOTICE +ftp_reply 199.233.217.249:21 - 0 +ftp_reply 199.233.217.249:21 - 0 Please note that portions of this FTP site contain cryptographic +ftp_reply 199.233.217.249:21 - 0 software controlled under the Export Administration Regulations (EAR). +ftp_reply 199.233.217.249:21 - 0 +ftp_reply 199.233.217.249:21 - 0 None of this software may be downloaded or otherwise exported or +ftp_reply 199.233.217.249:21 - 0 re-exported into (or to a national or resident of) Cuba, Iran, Libya, +ftp_reply 199.233.217.249:21 - 0 Sudan, North Korea, Syria or any other country to which the U.S. has +ftp_reply 199.233.217.249:21 - 0 embargoed goods. +ftp_reply 199.233.217.249:21 - 0 +ftp_reply 199.233.217.249:21 - 0 By downloading or using said software, you are agreeing to the +ftp_reply 199.233.217.249:21 - 0 foregoing and you are representing and warranting that you are not +ftp_reply 199.233.217.249:21 - 0 located in, under the control of, or a national or resident of any +ftp_reply 199.233.217.249:21 - 0 such country or on any such list. +ftp_reply 199.233.217.249:21 - 230 Guest login ok, access restrictions apply. +ftp_request 141.142.220.235:50003 - SYST +ftp_reply 199.233.217.249:21 - 215 UNIX Type: L8 Version: NetBSD-ftpd 20100320 +ftp_request 141.142.220.235:50003 - PASV +ftp_reply 199.233.217.249:21 - 227 Entering Passive Mode (199,233,217,249,221,90) +ftp_request 141.142.220.235:50003 - LIST +ftp_reply 199.233.217.249:21 - 150 Opening ASCII mode data connection for '/bin/ls'. +ftp_reply 199.233.217.249:21 - 226 Transfer complete. +ftp_request 141.142.220.235:50003 - TYPE I +ftp_reply 199.233.217.249:21 - 200 Type set to I. +ftp_request 141.142.220.235:50003 - PASV +ftp_reply 199.233.217.249:21 - 227 Entering Passive Mode (199,233,217,249,221,91) +ftp_request 141.142.220.235:50003 - RETR robots.txt +ftp_reply 199.233.217.249:21 - 150 Opening BINARY mode data connection for 'robots.txt' (77 bytes). +ftp_reply 199.233.217.249:21 - 226 Transfer complete. +ftp_request 141.142.220.235:50003 - TYPE A +ftp_reply 199.233.217.249:21 - 200 Type set to A. +ftp_request 141.142.220.235:50003 - PORT 141,142,220,235,131,46 +ftp_reply 199.233.217.249:21 - 200 PORT command successful. +ftp_request 141.142.220.235:50003 - LIST +ftp_reply 199.233.217.249:21 - 150 Opening ASCII mode data connection for '/bin/ls'. +ftp_reply 199.233.217.249:21 - 226 Transfer complete. +ftp_request 141.142.220.235:50003 - TYPE I +ftp_reply 199.233.217.249:21 - 200 Type set to I. +ftp_request 141.142.220.235:50003 - PORT 141,142,220,235,147,203 +ftp_reply 199.233.217.249:21 - 200 PORT command successful. +ftp_request 141.142.220.235:50003 - RETR robots.txt +ftp_reply 199.233.217.249:21 - 150 Opening BINARY mode data connection for 'robots.txt' (77 bytes). +ftp_reply 199.233.217.249:21 - 226 Transfer complete. +ftp_request 141.142.220.235:50003 - QUIT +ftp_reply 199.233.217.249:21 - 221 +ftp_reply 199.233.217.249:21 - 0 Data traffic for this session was 154 bytes in 2 files. +ftp_reply 199.233.217.249:21 - 0 Total traffic for this session was 4037 bytes in 4 transfers. +ftp_reply 199.233.217.249:21 - 221 Thank you for using the FTP service on ftp.NetBSD.org. diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out new file mode 100644 index 0000000000..a2227ee890 --- /dev/null +++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out @@ -0,0 +1,100 @@ +dpd_config, { + +} +signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client +ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready. +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous +ftp_reply [2001:470:4867:99::21]:21 - 331 Guest login ok, type your name as password. +signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_server +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - PASS test +ftp_reply [2001:470:4867:99::21]:21 - 230 +ftp_reply [2001:470:4867:99::21]:21 - 0 The NetBSD Project FTP Server located in Redwood City, CA, USA +ftp_reply [2001:470:4867:99::21]:21 - 0 1 Gbps connectivity courtesy of , , +ftp_reply [2001:470:4867:99::21]:21 - 0 Internet Systems Consortium WELCOME! /( )` +ftp_reply [2001:470:4867:99::21]:21 - 0 \ \___ / | +ftp_reply [2001:470:4867:99::21]:21 - 0 +--- Currently Supported Platforms ----+ /- _ `-/ ' +ftp_reply [2001:470:4867:99::21]:21 - 0 | acorn[26,32], algor, alpha, amd64, | (/\/ \ \ /\ +ftp_reply [2001:470:4867:99::21]:21 - 0 | amiga[,ppc], arc, atari, bebox, | / / | ` \ +ftp_reply [2001:470:4867:99::21]:21 - 0 | cats, cesfic, cobalt, dreamcast, | O O ) / | +ftp_reply [2001:470:4867:99::21]:21 - 0 | evb[arm,mips,ppc,sh3], hp[300,700], | `-^--'`< ' +ftp_reply [2001:470:4867:99::21]:21 - 0 | hpc[arm,mips,sh], i386, | (_.) _ ) / +ftp_reply [2001:470:4867:99::21]:21 - 0 | ibmnws, iyonix, luna68k, | .___/` / +ftp_reply [2001:470:4867:99::21]:21 - 0 | mac[m68k,ppc], mipsco, mmeye, | `-----' / +ftp_reply [2001:470:4867:99::21]:21 - 0 | mvme[m68k,ppc], netwinders, | <----. __ / __ \ +ftp_reply [2001:470:4867:99::21]:21 - 0 | news[m68k,mips], next68k, ofppc, | <----|====O)))==) \) /==== +ftp_reply [2001:470:4867:99::21]:21 - 0 | playstation2, pmax, prep, sandpoint, | <----' `--' `.__,' \ +ftp_reply [2001:470:4867:99::21]:21 - 0 | sbmips, sgimips, shark, sparc[,64], | | | +ftp_reply [2001:470:4867:99::21]:21 - 0 | sun[2,3], vax, x68k, xen | \ / +ftp_reply [2001:470:4867:99::21]:21 - 0 +--------------------------------------+ ______( (_ / \_____ +ftp_reply [2001:470:4867:99::21]:21 - 0 See our website at http://www.NetBSD.org/ ,' ,-----' | \ +ftp_reply [2001:470:4867:99::21]:21 - 0 We log all FTP transfers and commands. `--{__________) (FL) \/ +ftp_reply [2001:470:4867:99::21]:21 - 0 230- +ftp_reply [2001:470:4867:99::21]:21 - 0 EXPORT NOTICE +ftp_reply [2001:470:4867:99::21]:21 - 0 +ftp_reply [2001:470:4867:99::21]:21 - 0 Please note that portions of this FTP site contain cryptographic +ftp_reply [2001:470:4867:99::21]:21 - 0 software controlled under the Export Administration Regulations (EAR). +ftp_reply [2001:470:4867:99::21]:21 - 0 +ftp_reply [2001:470:4867:99::21]:21 - 0 None of this software may be downloaded or otherwise exported or +ftp_reply [2001:470:4867:99::21]:21 - 0 re-exported into (or to a national or resident of) Cuba, Iran, Libya, +ftp_reply [2001:470:4867:99::21]:21 - 0 Sudan, North Korea, Syria or any other country to which the U.S. has +ftp_reply [2001:470:4867:99::21]:21 - 0 embargoed goods. +ftp_reply [2001:470:4867:99::21]:21 - 0 +ftp_reply [2001:470:4867:99::21]:21 - 0 By downloading or using said software, you are agreeing to the +ftp_reply [2001:470:4867:99::21]:21 - 0 foregoing and you are representing and warranting that you are not +ftp_reply [2001:470:4867:99::21]:21 - 0 located in, under the control of, or a national or resident of any +ftp_reply [2001:470:4867:99::21]:21 - 0 such country or on any such list. +ftp_reply [2001:470:4867:99::21]:21 - 230 Guest login ok, access restrictions apply. +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - SYST +ftp_reply [2001:470:4867:99::21]:21 - 215 UNIX Type: L8 Version: NetBSD-ftpd 20100320 +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - FEAT +ftp_reply [2001:470:4867:99::21]:21 - 211 Features supported +ftp_reply [2001:470:4867:99::21]:21 - 0 MDTM +ftp_reply [2001:470:4867:99::21]:21 - 0 MLST Type*;Size*;Modify*;Perm*;Unique*; +ftp_reply [2001:470:4867:99::21]:21 - 0 REST STREAM +ftp_reply [2001:470:4867:99::21]:21 - 0 SIZE +ftp_reply [2001:470:4867:99::21]:21 - 0 TVFS +ftp_reply [2001:470:4867:99::21]:21 - 211 End +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - PWD +ftp_reply [2001:470:4867:99::21]:21 - 257 "/" is the current directory. +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - EPSV +ftp_reply [2001:470:4867:99::21]:21 - 229 Entering Extended Passive Mode (|||57086|) +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - LIST +ftp_reply [2001:470:4867:99::21]:21 - 150 Opening ASCII mode data connection for '/bin/ls'. +ftp_reply [2001:470:4867:99::21]:21 - 226 Transfer complete. +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - EPSV +ftp_reply [2001:470:4867:99::21]:21 - 229 Entering Extended Passive Mode (|||57087|) +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - NLST +ftp_reply [2001:470:4867:99::21]:21 - 150 Opening ASCII mode data connection for 'file list'. +ftp_reply [2001:470:4867:99::21]:21 - 226 Transfer complete. +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - TYPE I +ftp_reply [2001:470:4867:99::21]:21 - 200 Type set to I. +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - SIZE robots.txt +ftp_reply [2001:470:4867:99::21]:21 - 213 77 +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - EPSV +ftp_reply [2001:470:4867:99::21]:21 - 229 Entering Extended Passive Mode (|||57088|) +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - RETR robots.txt +ftp_reply [2001:470:4867:99::21]:21 - 150 Opening BINARY mode data connection for 'robots.txt' (77 bytes). +ftp_reply [2001:470:4867:99::21]:21 - 226 Transfer complete. +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - MDTM robots.txt +ftp_reply [2001:470:4867:99::21]:21 - 213 20090816112038 +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - SIZE robots.txt +ftp_reply [2001:470:4867:99::21]:21 - 213 77 +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - EPRT |2|2001:470:1f11:81f:c999:d94:aa7c:2e3e|49189| +ftp_reply [2001:470:4867:99::21]:21 - 200 EPRT command successful. +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - RETR robots.txt +ftp_reply [2001:470:4867:99::21]:21 - 150 Opening BINARY mode data connection for 'robots.txt' (77 bytes). +ftp_reply [2001:470:4867:99::21]:21 - 226 Transfer complete. +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - MDTM robots.txt +ftp_reply [2001:470:4867:99::21]:21 - 213 20090816112038 +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - TYPE A +ftp_reply [2001:470:4867:99::21]:21 - 200 Type set to A. +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - EPRT |2|2001:470:1f11:81f:c999:d94:aa7c:2e3e|49190| +ftp_reply [2001:470:4867:99::21]:21 - 200 EPRT command successful. +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - LIST +ftp_reply [2001:470:4867:99::21]:21 - 150 Opening ASCII mode data connection for '/bin/ls'. +ftp_reply [2001:470:4867:99::21]:21 - 226 Transfer complete. +ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - QUIT +ftp_reply [2001:470:4867:99::21]:21 - 221 +ftp_reply [2001:470:4867:99::21]:21 - 0 Data traffic for this session was 154 bytes in 2 files. +ftp_reply [2001:470:4867:99::21]:21 - 0 Total traffic for this session was 4512 bytes in 5 transfers. +ftp_reply [2001:470:4867:99::21]:21 - 221 Thank you for using the FTP service on ftp.NetBSD.org. diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out new file mode 100644 index 0000000000..55566505d8 --- /dev/null +++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out @@ -0,0 +1,3 @@ +dpd_config, { + +} diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out new file mode 100644 index 0000000000..55566505d8 --- /dev/null +++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out @@ -0,0 +1,3 @@ +dpd_config, { + +} diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-eq-list.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-eq-list.out new file mode 100644 index 0000000000..06d3c27188 --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-eq-list.out @@ -0,0 +1 @@ +signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-eq-list diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-eq-nomatch.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-eq-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-eq.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-eq.out new file mode 100644 index 0000000000..8bad163eeb --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-eq.out @@ -0,0 +1 @@ +signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-eq diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-ne-list-nomatch.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-ne-list-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-ne-list.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-ne-list.out new file mode 100644 index 0000000000..a1c0ea8927 --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-ne-list.out @@ -0,0 +1 @@ +signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-ne-list diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-ne-nomatch.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-ne-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-ne.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-ne.out new file mode 100644 index 0000000000..8249781376 --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-ne.out @@ -0,0 +1 @@ +signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-ne diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-eq-list.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-eq-list.out new file mode 100644 index 0000000000..06d3c27188 --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-eq-list.out @@ -0,0 +1 @@ +signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-eq-list diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-eq-nomatch.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-eq-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-eq.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-eq.out new file mode 100644 index 0000000000..8bad163eeb --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-eq.out @@ -0,0 +1 @@ +signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-eq diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-ne-list-nomatch.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-ne-list-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-ne-list.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-ne-list.out new file mode 100644 index 0000000000..a1c0ea8927 --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-ne-list.out @@ -0,0 +1 @@ +signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-ne-list diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-ne-nomatch.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-ne-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-ne.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-ne.out new file mode 100644 index 0000000000..8249781376 --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-ne.out @@ -0,0 +1 @@ +signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-ne diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-eq-list.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-eq-list.out new file mode 100644 index 0000000000..7396460f22 --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-eq-list.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-eq-list diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-eq-nomatch.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-eq-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-eq.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-eq.out new file mode 100644 index 0000000000..3241ccdf6f --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-eq.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-eq diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-ne-list-nomatch.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-ne-list-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-ne-list.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-ne-list.out new file mode 100644 index 0000000000..f875da226e --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-ne-list.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-ne-list diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-ne-nomatch.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-ne-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-ne.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-ne.out new file mode 100644 index 0000000000..b074df8891 --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-ne.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-ne diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-eq-list.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-eq-list.out new file mode 100644 index 0000000000..7396460f22 --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-eq-list.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-eq-list diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-eq-nomatch.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-eq-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-eq.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-eq.out new file mode 100644 index 0000000000..3241ccdf6f --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-eq.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-eq diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-ne-list-nomatch.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-ne-list-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-ne-list.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-ne-list.out new file mode 100644 index 0000000000..f875da226e --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-ne-list.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-ne-list diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-ne-nomatch.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-ne-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-ne.out b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-ne.out new file mode 100644 index 0000000000..b074df8891 --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-ne.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-ne diff --git a/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-eq-ip6.out b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-eq-ip6.out new file mode 100644 index 0000000000..db9d71f669 --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-eq-ip6.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-eq diff --git a/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-eq-list.out b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-eq-list.out new file mode 100644 index 0000000000..0df42f6000 --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-eq-list.out @@ -0,0 +1 @@ +signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - dst-port-eq-list diff --git a/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-eq-nomatch.out b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-eq-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-eq.out b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-eq.out new file mode 100644 index 0000000000..52321f7777 --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-eq.out @@ -0,0 +1 @@ +signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - dst-port-eq diff --git a/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-gt-nomatch.out b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-gt-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-gt.out b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-gt.out new file mode 100644 index 0000000000..87c0c75514 --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-gt.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-gt diff --git a/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-gte-nomatch.out b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-gte-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-gte1.out b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-gte1.out new file mode 100644 index 0000000000..a6eb48c84c --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-gte1.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-gte1 diff --git a/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-gte2.out b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-gte2.out new file mode 100644 index 0000000000..2d13632cd6 --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-gte2.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-gte2 diff --git a/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-lt-nomatch.out b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-lt-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-lt.out b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-lt.out new file mode 100644 index 0000000000..5d06777caf --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-lt.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-lt diff --git a/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-lte-nomatch.out b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-lte-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-lte1.out b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-lte1.out new file mode 100644 index 0000000000..4102fdfd9a --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-lte1.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-lte1 diff --git a/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-lte2.out b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-lte2.out new file mode 100644 index 0000000000..b14823b92e --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-lte2.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-lte2 diff --git a/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-ne-list-nomatch.out b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-ne-list-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-ne-list.out b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-ne-list.out new file mode 100644 index 0000000000..7b68c06787 --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-ne-list.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-ne-list diff --git a/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-ne-nomatch.out b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-ne-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-ne.out b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-ne.out new file mode 100644 index 0000000000..c92dcb8b31 --- /dev/null +++ b/testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-ne.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-ne diff --git a/testing/btest/Baseline/signatures.header-header-condition/icmp.out b/testing/btest/Baseline/signatures.header-header-condition/icmp.out new file mode 100644 index 0000000000..a626bf85a5 --- /dev/null +++ b/testing/btest/Baseline/signatures.header-header-condition/icmp.out @@ -0,0 +1 @@ +signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - icmp diff --git a/testing/btest/Baseline/signatures.header-header-condition/icmp6.out b/testing/btest/Baseline/signatures.header-header-condition/icmp6.out new file mode 100644 index 0000000000..61b7c927e9 --- /dev/null +++ b/testing/btest/Baseline/signatures.header-header-condition/icmp6.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=128/icmp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=129/icmp] - icmp6 diff --git a/testing/btest/Baseline/signatures.header-header-condition/ip-mask.out b/testing/btest/Baseline/signatures.header-header-condition/ip-mask.out new file mode 100644 index 0000000000..bc8045180f --- /dev/null +++ b/testing/btest/Baseline/signatures.header-header-condition/ip-mask.out @@ -0,0 +1 @@ +signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - ip-mask diff --git a/testing/btest/Baseline/signatures.header-header-condition/ip.out b/testing/btest/Baseline/signatures.header-header-condition/ip.out new file mode 100644 index 0000000000..5a7f51a6e3 --- /dev/null +++ b/testing/btest/Baseline/signatures.header-header-condition/ip.out @@ -0,0 +1 @@ +signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - ip diff --git a/testing/btest/Baseline/signatures.header-header-condition/ip6.out b/testing/btest/Baseline/signatures.header-header-condition/ip6.out new file mode 100644 index 0000000000..d3d8aeae90 --- /dev/null +++ b/testing/btest/Baseline/signatures.header-header-condition/ip6.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - ip6 diff --git a/testing/btest/Baseline/signatures.header-header-condition/tcp.out b/testing/btest/Baseline/signatures.header-header-condition/tcp.out new file mode 100644 index 0000000000..48241068d4 --- /dev/null +++ b/testing/btest/Baseline/signatures.header-header-condition/tcp.out @@ -0,0 +1 @@ +signature_match [orig_h=127.0.0.1, orig_p=30000/tcp, resp_h=127.0.0.1, resp_p=80/tcp] - tcp diff --git a/testing/btest/Baseline/signatures.header-header-condition/udp.out b/testing/btest/Baseline/signatures.header-header-condition/udp.out new file mode 100644 index 0000000000..fd54308e9f --- /dev/null +++ b/testing/btest/Baseline/signatures.header-header-condition/udp.out @@ -0,0 +1 @@ +signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - udp diff --git a/testing/btest/Baseline/signatures.header-header-condition/val-mask.out b/testing/btest/Baseline/signatures.header-header-condition/val-mask.out new file mode 100644 index 0000000000..ad7a66e202 --- /dev/null +++ b/testing/btest/Baseline/signatures.header-header-condition/val-mask.out @@ -0,0 +1 @@ +signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - val-mask diff --git a/testing/btest/Baseline/signatures.id-lookup/id.out b/testing/btest/Baseline/signatures.id-lookup/id.out new file mode 100644 index 0000000000..4a5310a3b2 --- /dev/null +++ b/testing/btest/Baseline/signatures.id-lookup/id.out @@ -0,0 +1 @@ +signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - id diff --git a/testing/btest/Baseline/signatures.ip-proto-header-condition/icmp6_in_ip6.out b/testing/btest/Baseline/signatures.ip-proto-header-condition/icmp6_in_ip6.out new file mode 100644 index 0000000000..61b7c927e9 --- /dev/null +++ b/testing/btest/Baseline/signatures.ip-proto-header-condition/icmp6_in_ip6.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=128/icmp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=129/icmp] - icmp6 diff --git a/testing/btest/Baseline/signatures.ip-proto-header-condition/icmp_in_ip4.out b/testing/btest/Baseline/signatures.ip-proto-header-condition/icmp_in_ip4.out new file mode 100644 index 0000000000..a626bf85a5 --- /dev/null +++ b/testing/btest/Baseline/signatures.ip-proto-header-condition/icmp_in_ip4.out @@ -0,0 +1 @@ +signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - icmp diff --git a/testing/btest/Baseline/signatures.ip-proto-header-condition/nomatch.out b/testing/btest/Baseline/signatures.ip-proto-header-condition/nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.ip-proto-header-condition/tcp_in_ip4.out b/testing/btest/Baseline/signatures.ip-proto-header-condition/tcp_in_ip4.out new file mode 100644 index 0000000000..48241068d4 --- /dev/null +++ b/testing/btest/Baseline/signatures.ip-proto-header-condition/tcp_in_ip4.out @@ -0,0 +1 @@ +signature_match [orig_h=127.0.0.1, orig_p=30000/tcp, resp_h=127.0.0.1, resp_p=80/tcp] - tcp diff --git a/testing/btest/Baseline/signatures.ip-proto-header-condition/tcp_in_ip6.out b/testing/btest/Baseline/signatures.ip-proto-header-condition/tcp_in_ip6.out new file mode 100644 index 0000000000..8a5d5f17fc --- /dev/null +++ b/testing/btest/Baseline/signatures.ip-proto-header-condition/tcp_in_ip6.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/tcp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=80/tcp] - tcp diff --git a/testing/btest/Baseline/signatures.ip-proto-header-condition/udp_in_ip4.out b/testing/btest/Baseline/signatures.ip-proto-header-condition/udp_in_ip4.out new file mode 100644 index 0000000000..fd54308e9f --- /dev/null +++ b/testing/btest/Baseline/signatures.ip-proto-header-condition/udp_in_ip4.out @@ -0,0 +1 @@ +signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - udp diff --git a/testing/btest/Baseline/signatures.ip-proto-header-condition/udp_in_ip6.out b/testing/btest/Baseline/signatures.ip-proto-header-condition/udp_in_ip6.out new file mode 100644 index 0000000000..f843e44d2d --- /dev/null +++ b/testing/btest/Baseline/signatures.ip-proto-header-condition/udp_in_ip6.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - udp diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-eq-list.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-eq-list.out new file mode 100644 index 0000000000..60fa5de636 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-eq-list.out @@ -0,0 +1 @@ +signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-eq-list diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-eq-nomatch.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-eq-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-eq.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-eq.out new file mode 100644 index 0000000000..ce46d4b3df --- /dev/null +++ b/testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-eq.out @@ -0,0 +1 @@ +signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-eq diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-ne-list-nomatch.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-ne-list-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-ne-list.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-ne-list.out new file mode 100644 index 0000000000..3ca3aab914 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-ne-list.out @@ -0,0 +1 @@ +signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-ne-list diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-ne-nomatch.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-ne-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-ne.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-ne.out new file mode 100644 index 0000000000..c0876257e3 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-ne.out @@ -0,0 +1 @@ +signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-ne diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-eq-list.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-eq-list.out new file mode 100644 index 0000000000..60fa5de636 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-eq-list.out @@ -0,0 +1 @@ +signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-eq-list diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-eq-nomatch.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-eq-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-eq.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-eq.out new file mode 100644 index 0000000000..ce46d4b3df --- /dev/null +++ b/testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-eq.out @@ -0,0 +1 @@ +signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-eq diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-ne-list-nomatch.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-ne-list-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-ne-list.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-ne-list.out new file mode 100644 index 0000000000..3ca3aab914 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-ne-list.out @@ -0,0 +1 @@ +signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-ne-list diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-ne-nomatch.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-ne-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-ne.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-ne.out new file mode 100644 index 0000000000..c0876257e3 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-ne.out @@ -0,0 +1 @@ +signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-ne diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-eq-list.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-eq-list.out new file mode 100644 index 0000000000..15e7b9848c --- /dev/null +++ b/testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-eq-list.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-eq-list diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-eq-nomatch.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-eq-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-eq.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-eq.out new file mode 100644 index 0000000000..12b0192a28 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-eq.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-eq diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-ne-list-nomatch.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-ne-list-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-ne-list.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-ne-list.out new file mode 100644 index 0000000000..2e10e62cec --- /dev/null +++ b/testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-ne-list.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-ne-list diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-ne-nomatch.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-ne-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-ne.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-ne.out new file mode 100644 index 0000000000..be5325c4e9 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-ne.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-ne diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-eq-list.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-eq-list.out new file mode 100644 index 0000000000..15e7b9848c --- /dev/null +++ b/testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-eq-list.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-eq-list diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-eq-nomatch.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-eq-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-eq.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-eq.out new file mode 100644 index 0000000000..12b0192a28 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-eq.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-eq diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-ne-list-nomatch.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-ne-list-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-ne-list.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-ne-list.out new file mode 100644 index 0000000000..2e10e62cec --- /dev/null +++ b/testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-ne-list.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-ne-list diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-ne-nomatch.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-ne-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-ne.out b/testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-ne.out new file mode 100644 index 0000000000..be5325c4e9 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-ne.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-ne diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-eq-ip6.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-eq-ip6.out new file mode 100644 index 0000000000..9a16e2d533 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-eq-ip6.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-port-eq diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-eq-list.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-eq-list.out new file mode 100644 index 0000000000..c8a6579af1 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-eq-list.out @@ -0,0 +1 @@ +signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - src-port-eq-list diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-eq-nomatch.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-eq-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-eq.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-eq.out new file mode 100644 index 0000000000..8e44853a14 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-eq.out @@ -0,0 +1 @@ +signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - src-port-eq diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-gt-nomatch.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-gt-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-gt.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-gt.out new file mode 100644 index 0000000000..235b9a0f11 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-gt.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-port-gt diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-gte-nomatch.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-gte-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-gte1.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-gte1.out new file mode 100644 index 0000000000..82b1a39aab --- /dev/null +++ b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-gte1.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-port-gte1 diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-gte2.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-gte2.out new file mode 100644 index 0000000000..4816fe1947 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-gte2.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-port-gte2 diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-lt-nomatch.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-lt-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-lt.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-lt.out new file mode 100644 index 0000000000..b124a1616d --- /dev/null +++ b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-lt.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-port-lt diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-lte-nomatch.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-lte-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-lte1.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-lte1.out new file mode 100644 index 0000000000..67b2665619 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-lte1.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-port-lte1 diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-lte2.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-lte2.out new file mode 100644 index 0000000000..758b5f1241 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-lte2.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-port-lte2 diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-ne-list-nomatch.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-ne-list-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-ne-list.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-ne-list.out new file mode 100644 index 0000000000..c98df730a8 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-ne-list.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-port-ne-list diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-ne-nomatch.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-ne-nomatch.out new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/signatures.src-port-header-condition/src-port-ne.out b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-ne.out new file mode 100644 index 0000000000..f2ec15a667 --- /dev/null +++ b/testing/btest/Baseline/signatures.src-port-header-condition/src-port-ne.out @@ -0,0 +1 @@ +signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-port-ne diff --git a/testing/btest/signatures/dpd.bro b/testing/btest/signatures/dpd.bro new file mode 100644 index 0000000000..d6ae02cb50 --- /dev/null +++ b/testing/btest/signatures/dpd.bro @@ -0,0 +1,54 @@ +# @TEST-EXEC: bro -b -s myftp -r $TRACES/ftp-ipv4.trace %INPUT >dpd-ipv4.out +# @TEST-EXEC: bro -b -s myftp -r $TRACES/ipv6-ftp.trace %INPUT >dpd-ipv6.out +# @TEST-EXEC: bro -b -r $TRACES/ftp-ipv4.trace %INPUT >nosig-ipv4.out +# @TEST-EXEC: bro -b -r $TRACES/ipv6-ftp.trace %INPUT >nosig-ipv6.out +# @TEST-EXEC: btest-diff dpd-ipv4.out +# @TEST-EXEC: btest-diff dpd-ipv6.out +# @TEST-EXEC: btest-diff nosig-ipv4.out +# @TEST-EXEC: btest-diff nosig-ipv6.out + +# DPD based on 'ip-proto' and 'payload' signatures should be independent +# of IP protocol. + +@TEST-START-FILE myftp.sig +signature my_ftp_client { + ip-proto == tcp + payload /(|.*[\n\r]) *[uU][sS][eE][rR] / + tcp-state originator + event "matched my_ftp_client" +} + +signature my_ftp_server { + ip-proto == tcp + payload /[\n\r ]*(120|220)[^0-9].*[\n\r] *(230|331)[^0-9]/ + tcp-state responder + requires-reverse-signature my_ftp_client + enable "ftp" + event "matched my_ftp_server" +} +@TEST-END-FILE + +@load base/utils/addrs + +event bro_init() + { + # no analyzer attached to any port by default, depends entirely on sigs + print "dpd_config", dpd_config; + } + +event signature_match(state: signature_state, msg: string, data: string) + { + print fmt("signature_match %s - %s", state$conn$id, msg); + } + +event ftp_request(c: connection, command: string, arg: string) + { + print fmt("ftp_request %s:%s - %s %s", addr_to_uri(c$id$orig_h), + port_to_count(c$id$orig_p), command, arg); + } + +event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) + { + print fmt("ftp_reply %s:%s - %s %s", addr_to_uri(c$id$resp_h), + port_to_count(c$id$resp_p), code, msg); + } diff --git a/testing/btest/signatures/dst-ip-header-condition-v4-masks.bro b/testing/btest/signatures/dst-ip-header-condition-v4-masks.bro new file mode 100644 index 0000000000..dc5b0f48b8 --- /dev/null +++ b/testing/btest/signatures/dst-ip-header-condition-v4-masks.bro @@ -0,0 +1,71 @@ +# @TEST-EXEC: bro -b -s dst-ip-eq -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >dst-ip-eq.out +# @TEST-EXEC: bro -b -s dst-ip-eq-nomatch -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >dst-ip-eq-nomatch.out +# @TEST-EXEC: bro -b -s dst-ip-eq-list -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >dst-ip-eq-list.out + +# @TEST-EXEC: bro -b -s dst-ip-ne -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >dst-ip-ne.out +# @TEST-EXEC: bro -b -s dst-ip-ne-nomatch -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >dst-ip-ne-nomatch.out +# @TEST-EXEC: bro -b -s dst-ip-ne-list -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >dst-ip-ne-list.out +# @TEST-EXEC: bro -b -s dst-ip-ne-list-nomatch -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >dst-ip-ne-list-nomatch.out + +# @TEST-EXEC: btest-diff dst-ip-eq.out +# @TEST-EXEC: btest-diff dst-ip-eq-nomatch.out +# @TEST-EXEC: btest-diff dst-ip-eq-list.out + +# @TEST-EXEC: btest-diff dst-ip-ne.out +# @TEST-EXEC: btest-diff dst-ip-ne-nomatch.out +# @TEST-EXEC: btest-diff dst-ip-ne-list.out +# @TEST-EXEC: btest-diff dst-ip-ne-list-nomatch.out + +@TEST-START-FILE dst-ip-eq.sig +signature id { + dst-ip == 192.168.1.0/24 + event "dst-ip-eq" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-eq-nomatch.sig +signature id { + dst-ip == 10.0.0.0/8 + event "dst-ip-eq-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-eq-list.sig +signature id { + dst-ip == 10.0.0.0/8,[fe80::0]/16,192.168.1.0/24 + event "dst-ip-eq-list" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-ne.sig +signature id { + dst-ip != 10.0.0.0/8 + event "dst-ip-ne" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-ne-nomatch.sig +signature id { + dst-ip != 192.168.1.0/24 + event "dst-ip-ne-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-ne-list.sig +signature id { + dst-ip != 10.0.0.0/8,[fe80::0]/16 + event "dst-ip-ne-list" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-ne-list-nomatch.sig +signature id { + dst-ip != 10.0.0.0/8,[fe80::0]/16,192.168.1.0/24 + event "dst-ip-ne-list-nomatch" +} +@TEST-END-FILE + +event signature_match(state: signature_state, msg: string, data: string) + { + print fmt("signature_match %s - %s", state$conn$id, msg); + } diff --git a/testing/btest/signatures/dst-ip-header-condition-v4.bro b/testing/btest/signatures/dst-ip-header-condition-v4.bro new file mode 100644 index 0000000000..0d0d3e644c --- /dev/null +++ b/testing/btest/signatures/dst-ip-header-condition-v4.bro @@ -0,0 +1,71 @@ +# @TEST-EXEC: bro -b -s dst-ip-eq -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >dst-ip-eq.out +# @TEST-EXEC: bro -b -s dst-ip-eq-nomatch -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >dst-ip-eq-nomatch.out +# @TEST-EXEC: bro -b -s dst-ip-eq-list -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >dst-ip-eq-list.out + +# @TEST-EXEC: bro -b -s dst-ip-ne -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >dst-ip-ne.out +# @TEST-EXEC: bro -b -s dst-ip-ne-nomatch -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >dst-ip-ne-nomatch.out +# @TEST-EXEC: bro -b -s dst-ip-ne-list -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >dst-ip-ne-list.out +# @TEST-EXEC: bro -b -s dst-ip-ne-list-nomatch -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >dst-ip-ne-list-nomatch.out + +# @TEST-EXEC: btest-diff dst-ip-eq.out +# @TEST-EXEC: btest-diff dst-ip-eq-nomatch.out +# @TEST-EXEC: btest-diff dst-ip-eq-list.out + +# @TEST-EXEC: btest-diff dst-ip-ne.out +# @TEST-EXEC: btest-diff dst-ip-ne-nomatch.out +# @TEST-EXEC: btest-diff dst-ip-ne-list.out +# @TEST-EXEC: btest-diff dst-ip-ne-list-nomatch.out + +@TEST-START-FILE dst-ip-eq.sig +signature id { + dst-ip == 192.168.1.101 + event "dst-ip-eq" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-eq-nomatch.sig +signature id { + dst-ip == 10.0.0.1 + event "dst-ip-eq-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-eq-list.sig +signature id { + dst-ip == 10.0.0.1,10.0.0.2,[fe80::1],192.168.1.101 + event "dst-ip-eq-list" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-ne.sig +signature id { + dst-ip != 10.0.0.1 + event "dst-ip-ne" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-ne-nomatch.sig +signature id { + dst-ip != 192.168.1.101 + event "dst-ip-ne-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-ne-list.sig +signature id { + dst-ip != 10.0.0.1,10.0.0.2,10.0.0.3,[fe80::1] + event "dst-ip-ne-list" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-ne-list-nomatch.sig +signature id { + dst-ip != 10.0.0.1,10.0.0.2,10.0.0.3,[fe80::1],192.168.1.101 + event "dst-ip-ne-list-nomatch" +} +@TEST-END-FILE + +event signature_match(state: signature_state, msg: string, data: string) + { + print fmt("signature_match %s - %s", state$conn$id, msg); + } diff --git a/testing/btest/signatures/dst-ip-header-condition-v6-masks.bro b/testing/btest/signatures/dst-ip-header-condition-v6-masks.bro new file mode 100644 index 0000000000..d82a76e78d --- /dev/null +++ b/testing/btest/signatures/dst-ip-header-condition-v6-masks.bro @@ -0,0 +1,71 @@ +# @TEST-EXEC: bro -b -s dst-ip-eq -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-ip-eq.out +# @TEST-EXEC: bro -b -s dst-ip-eq-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-ip-eq-nomatch.out +# @TEST-EXEC: bro -b -s dst-ip-eq-list -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-ip-eq-list.out + +# @TEST-EXEC: bro -b -s dst-ip-ne -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-ip-ne.out +# @TEST-EXEC: bro -b -s dst-ip-ne-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-ip-ne-nomatch.out +# @TEST-EXEC: bro -b -s dst-ip-ne-list -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-ip-ne-list.out +# @TEST-EXEC: bro -b -s dst-ip-ne-list-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-ip-ne-list-nomatch.out + +# @TEST-EXEC: btest-diff dst-ip-eq.out +# @TEST-EXEC: btest-diff dst-ip-eq-nomatch.out +# @TEST-EXEC: btest-diff dst-ip-eq-list.out + +# @TEST-EXEC: btest-diff dst-ip-ne.out +# @TEST-EXEC: btest-diff dst-ip-ne-nomatch.out +# @TEST-EXEC: btest-diff dst-ip-ne-list.out +# @TEST-EXEC: btest-diff dst-ip-ne-list-nomatch.out + +@TEST-START-FILE dst-ip-eq.sig +signature id { + dst-ip == [2001:4f8:4:7:2e0:81ff:fe52:0]/112 + event "dst-ip-eq" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-eq-nomatch.sig +signature id { + dst-ip == [fe80::0]/16 + event "dst-ip-eq-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-eq-list.sig +signature id { + dst-ip == 10.0.0.0/8,[fe80::0]/16,[2001:4f8:4:7:2e0:81ff:fe52:0]/112 + event "dst-ip-eq-list" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-ne.sig +signature id { + dst-ip != [2001:4f8:4:7:2e0:81ff:fe52:0]/120 + event "dst-ip-ne" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-ne-nomatch.sig +signature id { + dst-ip != [2001:4f8:4:7:2e0:81ff:fe52:0]/112 + event "dst-ip-ne-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-ne-list.sig +signature id { + dst-ip != 10.0.0.0/8,[fe80::0]/16 + event "dst-ip-ne-list" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-ne-list-nomatch.sig +signature id { + dst-ip != 10.0.0.0/8,[fe80::1]/16,[2001:4f8:4:7:2e0:81ff:fe52:0]/112 + event "dst-ip-ne-list-nomatch" +} +@TEST-END-FILE + +event signature_match(state: signature_state, msg: string, data: string) + { + print fmt("signature_match %s - %s", state$conn$id, msg); + } diff --git a/testing/btest/signatures/dst-ip-header-condition-v6.bro b/testing/btest/signatures/dst-ip-header-condition-v6.bro new file mode 100644 index 0000000000..e629fb4462 --- /dev/null +++ b/testing/btest/signatures/dst-ip-header-condition-v6.bro @@ -0,0 +1,71 @@ +# @TEST-EXEC: bro -b -s dst-ip-eq -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-ip-eq.out +# @TEST-EXEC: bro -b -s dst-ip-eq-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-ip-eq-nomatch.out +# @TEST-EXEC: bro -b -s dst-ip-eq-list -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-ip-eq-list.out + +# @TEST-EXEC: bro -b -s dst-ip-ne -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-ip-ne.out +# @TEST-EXEC: bro -b -s dst-ip-ne-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-ip-ne-nomatch.out +# @TEST-EXEC: bro -b -s dst-ip-ne-list -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-ip-ne-list.out +# @TEST-EXEC: bro -b -s dst-ip-ne-list-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-ip-ne-list-nomatch.out + +# @TEST-EXEC: btest-diff dst-ip-eq.out +# @TEST-EXEC: btest-diff dst-ip-eq-nomatch.out +# @TEST-EXEC: btest-diff dst-ip-eq-list.out + +# @TEST-EXEC: btest-diff dst-ip-ne.out +# @TEST-EXEC: btest-diff dst-ip-ne-nomatch.out +# @TEST-EXEC: btest-diff dst-ip-ne-list.out +# @TEST-EXEC: btest-diff dst-ip-ne-list-nomatch.out + +@TEST-START-FILE dst-ip-eq.sig +signature id { + dst-ip == [2001:4f8:4:7:2e0:81ff:fe52:9a6b] + event "dst-ip-eq" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-eq-nomatch.sig +signature id { + dst-ip == 10.0.0.1 + event "dst-ip-eq-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-eq-list.sig +signature id { + dst-ip == 10.0.0.1,10.0.0.2,[fe80::1],[2001:4f8:4:7:2e0:81ff:fe52:9a6b] + event "dst-ip-eq-list" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-ne.sig +signature id { + dst-ip != 10.0.0.1 + event "dst-ip-ne" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-ne-nomatch.sig +signature id { + dst-ip != [2001:4f8:4:7:2e0:81ff:fe52:9a6b] + event "dst-ip-ne-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-ne-list.sig +signature id { + dst-ip != 10.0.0.1,10.0.0.2,10.0.0.3,[fe80::1] + event "dst-ip-ne-list" +} +@TEST-END-FILE + +@TEST-START-FILE dst-ip-ne-list-nomatch.sig +signature id { + dst-ip != 10.0.0.1,10.0.0.2,10.0.0.3,[fe80::1],[2001:4f8:4:7:2e0:81ff:fe52:9a6b] + event "dst-ip-ne-list-nomatch" +} +@TEST-END-FILE + +event signature_match(state: signature_state, msg: string, data: string) + { + print fmt("signature_match %s - %s", state$conn$id, msg); + } diff --git a/testing/btest/signatures/dst-port-header-condition.bro b/testing/btest/signatures/dst-port-header-condition.bro new file mode 100644 index 0000000000..08ba07b0de --- /dev/null +++ b/testing/btest/signatures/dst-port-header-condition.bro @@ -0,0 +1,164 @@ +# @TEST-EXEC: bro -b -s dst-port-eq -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >dst-port-eq.out +# @TEST-EXEC: bro -b -s dst-port-eq-nomatch -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >dst-port-eq-nomatch.out +# @TEST-EXEC: bro -b -s dst-port-eq-list -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >dst-port-eq-list.out +# @TEST-EXEC: bro -b -s dst-port-eq -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-port-eq-ip6.out + +# @TEST-EXEC: bro -b -s dst-port-ne -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-port-ne.out +# @TEST-EXEC: bro -b -s dst-port-ne-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-port-ne-nomatch.out +# @TEST-EXEC: bro -b -s dst-port-ne-list -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-port-ne-list.out +# @TEST-EXEC: bro -b -s dst-port-ne-list-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-port-ne-list-nomatch.out + +# @TEST-EXEC: bro -b -s dst-port-lt -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-port-lt.out +# @TEST-EXEC: bro -b -s dst-port-lt-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-port-lt-nomatch.out +# @TEST-EXEC: bro -b -s dst-port-lte1 -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-port-lte1.out +# @TEST-EXEC: bro -b -s dst-port-lte2 -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-port-lte2.out +# @TEST-EXEC: bro -b -s dst-port-lte-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-port-lte-nomatch.out + +# @TEST-EXEC: bro -b -s dst-port-gt -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-port-gt.out +# @TEST-EXEC: bro -b -s dst-port-gt-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-port-gt-nomatch.out +# @TEST-EXEC: bro -b -s dst-port-gte1 -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-port-gte1.out +# @TEST-EXEC: bro -b -s dst-port-gte2 -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-port-gte2.out +# @TEST-EXEC: bro -b -s dst-port-gte-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >dst-port-gte-nomatch.out + +# @TEST-EXEC: btest-diff dst-port-eq.out +# @TEST-EXEC: btest-diff dst-port-eq-nomatch.out +# @TEST-EXEC: btest-diff dst-port-eq-list.out +# @TEST-EXEC: btest-diff dst-port-eq-ip6.out +# @TEST-EXEC: btest-diff dst-port-ne.out +# @TEST-EXEC: btest-diff dst-port-ne-nomatch.out +# @TEST-EXEC: btest-diff dst-port-ne-list.out +# @TEST-EXEC: btest-diff dst-port-ne-list-nomatch.out +# @TEST-EXEC: btest-diff dst-port-lt.out +# @TEST-EXEC: btest-diff dst-port-lt-nomatch.out +# @TEST-EXEC: btest-diff dst-port-lte1.out +# @TEST-EXEC: btest-diff dst-port-lte2.out +# @TEST-EXEC: btest-diff dst-port-lte-nomatch.out +# @TEST-EXEC: btest-diff dst-port-gt.out +# @TEST-EXEC: btest-diff dst-port-gt-nomatch.out +# @TEST-EXEC: btest-diff dst-port-gte1.out +# @TEST-EXEC: btest-diff dst-port-gte2.out +# @TEST-EXEC: btest-diff dst-port-gte-nomatch.out + +@TEST-START-FILE dst-port-eq.sig +signature id { + dst-port == 13000 + event "dst-port-eq" +} +@TEST-END-FILE + +@TEST-START-FILE dst-port-eq-nomatch.sig +signature id { + dst-port == 22 + event "dst-port-eq-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE dst-port-eq-list.sig +signature id { + dst-port == 22,23,24,13000 + event "dst-port-eq-list" +} +@TEST-END-FILE + +@TEST-START-FILE dst-port-ne.sig +signature id { + dst-port != 22 + event "dst-port-ne" +} +@TEST-END-FILE + +@TEST-START-FILE dst-port-ne-nomatch.sig +signature id { + dst-port != 13000 + event "dst-port-ne-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE dst-port-ne-list.sig +signature id { + dst-port != 22,23,24,25 + event "dst-port-ne-list" +} +@TEST-END-FILE + +@TEST-START-FILE dst-port-ne-list-nomatch.sig +signature id { + dst-port != 22,23,24,25,13000 + event "dst-port-ne-list-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE dst-port-lt.sig +signature id { + dst-port < 13001 + event "dst-port-lt" +} +@TEST-END-FILE + +@TEST-START-FILE dst-port-lt-nomatch.sig +signature id { + dst-port < 13000 + event "dst-port-lt-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE dst-port-lte1.sig +signature id { + dst-port <= 13000 + event "dst-port-lte1" +} +@TEST-END-FILE + +@TEST-START-FILE dst-port-lte2.sig +signature id { + dst-port <= 13001 + event "dst-port-lte2" +} +@TEST-END-FILE + +@TEST-START-FILE dst-port-lte-nomatch.sig +signature id { + dst-port <= 12999 + event "dst-port-lte-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE dst-port-gt.sig +signature id { + dst-port > 12999 + event "dst-port-gt" +} +@TEST-END-FILE + +@TEST-START-FILE dst-port-gt-nomatch.sig +signature id { + dst-port > 13000 + event "dst-port-gt-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE dst-port-gte1.sig +signature id { + dst-port >= 13000 + event "dst-port-gte1" +} +@TEST-END-FILE + +@TEST-START-FILE dst-port-gte2.sig +signature id { + dst-port >= 12999 + event "dst-port-gte2" +} +@TEST-END-FILE + +@TEST-START-FILE dst-port-gte-nomatch.sig +signature id { + dst-port >= 13001 + event "dst-port-gte-nomatch" +} +@TEST-END-FILE + +event signature_match(state: signature_state, msg: string, data: string) + { + print fmt("signature_match %s - %s", state$conn$id, msg); + } diff --git a/testing/btest/signatures/header-header-condition.bro b/testing/btest/signatures/header-header-condition.bro new file mode 100644 index 0000000000..ad78ba4513 --- /dev/null +++ b/testing/btest/signatures/header-header-condition.bro @@ -0,0 +1,78 @@ +# @TEST-EXEC: bro -b -s ip -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >ip.out +# @TEST-EXEC: bro -b -s ip-mask -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >ip-mask.out +# @TEST-EXEC: bro -b -s ip6 -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >ip6.out +# @TEST-EXEC: bro -b -s udp -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >udp.out +# @TEST-EXEC: bro -b -s tcp -r $TRACES/chksums/ip4-tcp-good-chksum.pcap %INPUT >tcp.out +# @TEST-EXEC: bro -b -s icmp -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >icmp.out +# @TEST-EXEC: bro -b -s icmp6 -r $TRACES/chksums/ip6-icmp6-good-chksum.pcap %INPUT >icmp6.out +# @TEST-EXEC: bro -b -s val-mask -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >val-mask.out + +# @TEST-EXEC: btest-diff ip.out +# @TEST-EXEC: btest-diff ip-mask.out +# @TEST-EXEC: btest-diff ip6.out +# @TEST-EXEC: btest-diff udp.out +# @TEST-EXEC: btest-diff tcp.out +# @TEST-EXEC: btest-diff icmp.out +# @TEST-EXEC: btest-diff icmp6.out +# @TEST-EXEC: btest-diff val-mask.out + +@TEST-START-FILE ip.sig +signature id { + header ip[10:1] == 0x7c + event "ip" +} +@TEST-END-FILE + +@TEST-START-FILE ip-mask.sig +signature id { + header ip[16:4] == 127.0.0.0/24 + event "ip-mask" +} +@TEST-END-FILE + +@TEST-START-FILE ip6.sig +signature id { + header ip6[10:1] == 0x04 + event "ip6" +} +@TEST-END-FILE + +@TEST-START-FILE udp.sig +signature id { + header udp[2:1] == 0x32 + event "udp" +} +@TEST-END-FILE + +@TEST-START-FILE tcp.sig +signature id { + header tcp[3:4] == 0x50000000 + event "tcp" +} +@TEST-END-FILE + +@TEST-START-FILE icmp.sig +signature id { + header icmp[2:2] == 0xf7ff + event "icmp" +} +@TEST-END-FILE + +@TEST-START-FILE icmp6.sig +signature id { + header icmp6[0:1] == 0x80 + event "icmp6" +} +@TEST-END-FILE + +@TEST-START-FILE val-mask.sig +signature id { + header udp[2:1] & 0x0f == 0x02 + event "val-mask" +} +@TEST-END-FILE + +event signature_match(state: signature_state, msg: string, data: string) + { + print fmt("signature_match %s - %s", state$conn$id, msg); + } diff --git a/testing/btest/signatures/id-lookup.bro b/testing/btest/signatures/id-lookup.bro new file mode 100644 index 0000000000..2e32224bc8 --- /dev/null +++ b/testing/btest/signatures/id-lookup.bro @@ -0,0 +1,16 @@ +# @TEST-EXEC: bro -b -s id -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >id.out +# @TEST-EXEC: btest-diff id.out + +@TEST-START-FILE id.sig +signature id { + ip-proto == udp_proto_number + event "id" +} +@TEST-END-FILE + +const udp_proto_number = 17; + +event signature_match(state: signature_state, msg: string, data: string) + { + print fmt("signature_match %s - %s", state$conn$id, msg); + } diff --git a/testing/btest/signatures/ip-proto-header-condition.bro b/testing/btest/signatures/ip-proto-header-condition.bro new file mode 100644 index 0000000000..52d58ea223 --- /dev/null +++ b/testing/btest/signatures/ip-proto-header-condition.bro @@ -0,0 +1,48 @@ +# @TEST-EXEC: bro -b -s tcp -r $TRACES/chksums/ip4-tcp-good-chksum.pcap %INPUT >tcp_in_ip4.out +# @TEST-EXEC: bro -b -s udp -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >udp_in_ip4.out +# @TEST-EXEC: bro -b -s icmp -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >icmp_in_ip4.out +# @TEST-EXEC: bro -b -s tcp -r $TRACES/chksums/ip6-tcp-good-chksum.pcap %INPUT >tcp_in_ip6.out +# @TEST-EXEC: bro -b -s udp -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >udp_in_ip6.out +# @TEST-EXEC: bro -b -s icmp6 -r $TRACES/chksums/ip6-icmp6-good-chksum.pcap %INPUT >icmp6_in_ip6.out +# @TEST-EXEC: bro -b -s icmp -r $TRACES/chksums/ip6-icmp6-good-chksum.pcap %INPUT >nomatch.out + +# @TEST-EXEC: btest-diff tcp_in_ip4.out +# @TEST-EXEC: btest-diff udp_in_ip4.out +# @TEST-EXEC: btest-diff icmp_in_ip4.out +# @TEST-EXEC: btest-diff tcp_in_ip6.out +# @TEST-EXEC: btest-diff udp_in_ip6.out +# @TEST-EXEC: btest-diff icmp6_in_ip6.out +# @TEST-EXEC: btest-diff nomatch.out + +@TEST-START-FILE tcp.sig +signature tcp_transport { + ip-proto == tcp + event "tcp" +} +@TEST-END-FILE + +@TEST-START-FILE udp.sig +signature udp_transport { + ip-proto == udp + event "udp" +} +@TEST-END-FILE + +@TEST-START-FILE icmp.sig +signature icmp_transport { + ip-proto == icmp + event "icmp" +} +@TEST-END-FILE + +@TEST-START-FILE icmp6.sig +signature icmp6_transport { + ip-proto == icmp6 + event "icmp6" +} +@TEST-END-FILE + +event signature_match(state: signature_state, msg: string, data: string) + { + print fmt("signature_match %s - %s", state$conn$id, msg); + } diff --git a/testing/btest/signatures/src-ip-header-condition-v4-masks.bro b/testing/btest/signatures/src-ip-header-condition-v4-masks.bro new file mode 100644 index 0000000000..1e272c81ee --- /dev/null +++ b/testing/btest/signatures/src-ip-header-condition-v4-masks.bro @@ -0,0 +1,71 @@ +# @TEST-EXEC: bro -b -s src-ip-eq -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >src-ip-eq.out +# @TEST-EXEC: bro -b -s src-ip-eq-nomatch -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >src-ip-eq-nomatch.out +# @TEST-EXEC: bro -b -s src-ip-eq-list -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >src-ip-eq-list.out + +# @TEST-EXEC: bro -b -s src-ip-ne -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >src-ip-ne.out +# @TEST-EXEC: bro -b -s src-ip-ne-nomatch -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >src-ip-ne-nomatch.out +# @TEST-EXEC: bro -b -s src-ip-ne-list -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >src-ip-ne-list.out +# @TEST-EXEC: bro -b -s src-ip-ne-list-nomatch -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >src-ip-ne-list-nomatch.out + +# @TEST-EXEC: btest-diff src-ip-eq.out +# @TEST-EXEC: btest-diff src-ip-eq-nomatch.out +# @TEST-EXEC: btest-diff src-ip-eq-list.out + +# @TEST-EXEC: btest-diff src-ip-ne.out +# @TEST-EXEC: btest-diff src-ip-ne-nomatch.out +# @TEST-EXEC: btest-diff src-ip-ne-list.out +# @TEST-EXEC: btest-diff src-ip-ne-list-nomatch.out + +@TEST-START-FILE src-ip-eq.sig +signature id { + src-ip == 192.168.1.0/24 + event "src-ip-eq" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-eq-nomatch.sig +signature id { + src-ip == 10.0.0.0/8 + event "src-ip-eq-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-eq-list.sig +signature id { + src-ip == 10.0.0.0/8,[fe80::0]/16,192.168.1.0/24 + event "src-ip-eq-list" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-ne.sig +signature id { + src-ip != 10.0.0.0/8 + event "src-ip-ne" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-ne-nomatch.sig +signature id { + src-ip != 192.168.1.0/24 + event "src-ip-ne-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-ne-list.sig +signature id { + src-ip != 10.0.0.0/8,[fe80::0]/16 + event "src-ip-ne-list" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-ne-list-nomatch.sig +signature id { + src-ip != 10.0.0.0/8,[fe80::0]/16,192.168.1.0/24 + event "src-ip-ne-list-nomatch" +} +@TEST-END-FILE + +event signature_match(state: signature_state, msg: string, data: string) + { + print fmt("signature_match %s - %s", state$conn$id, msg); + } diff --git a/testing/btest/signatures/src-ip-header-condition-v4.bro b/testing/btest/signatures/src-ip-header-condition-v4.bro new file mode 100644 index 0000000000..746e41a4be --- /dev/null +++ b/testing/btest/signatures/src-ip-header-condition-v4.bro @@ -0,0 +1,71 @@ +# @TEST-EXEC: bro -b -s src-ip-eq -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >src-ip-eq.out +# @TEST-EXEC: bro -b -s src-ip-eq-nomatch -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >src-ip-eq-nomatch.out +# @TEST-EXEC: bro -b -s src-ip-eq-list -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >src-ip-eq-list.out + +# @TEST-EXEC: bro -b -s src-ip-ne -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >src-ip-ne.out +# @TEST-EXEC: bro -b -s src-ip-ne-nomatch -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >src-ip-ne-nomatch.out +# @TEST-EXEC: bro -b -s src-ip-ne-list -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >src-ip-ne-list.out +# @TEST-EXEC: bro -b -s src-ip-ne-list-nomatch -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT >src-ip-ne-list-nomatch.out + +# @TEST-EXEC: btest-diff src-ip-eq.out +# @TEST-EXEC: btest-diff src-ip-eq-nomatch.out +# @TEST-EXEC: btest-diff src-ip-eq-list.out + +# @TEST-EXEC: btest-diff src-ip-ne.out +# @TEST-EXEC: btest-diff src-ip-ne-nomatch.out +# @TEST-EXEC: btest-diff src-ip-ne-list.out +# @TEST-EXEC: btest-diff src-ip-ne-list-nomatch.out + +@TEST-START-FILE src-ip-eq.sig +signature id { + src-ip == 192.168.1.100 + event "src-ip-eq" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-eq-nomatch.sig +signature id { + src-ip == 10.0.0.1 + event "src-ip-eq-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-eq-list.sig +signature id { + src-ip == 10.0.0.1,10.0.0.2,[fe80::1],192.168.1.100 + event "src-ip-eq-list" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-ne.sig +signature id { + src-ip != 10.0.0.1 + event "src-ip-ne" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-ne-nomatch.sig +signature id { + src-ip != 192.168.1.100 + event "src-ip-ne-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-ne-list.sig +signature id { + src-ip != 10.0.0.1,10.0.0.2,10.0.0.3,[fe80::1] + event "src-ip-ne-list" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-ne-list-nomatch.sig +signature id { + src-ip != 10.0.0.1,10.0.0.2,10.0.0.3,[fe80::1],192.168.1.100 + event "src-ip-ne-list-nomatch" +} +@TEST-END-FILE + +event signature_match(state: signature_state, msg: string, data: string) + { + print fmt("signature_match %s - %s", state$conn$id, msg); + } diff --git a/testing/btest/signatures/src-ip-header-condition-v6-masks.bro b/testing/btest/signatures/src-ip-header-condition-v6-masks.bro new file mode 100644 index 0000000000..3c4fbf5526 --- /dev/null +++ b/testing/btest/signatures/src-ip-header-condition-v6-masks.bro @@ -0,0 +1,71 @@ +# @TEST-EXEC: bro -b -s src-ip-eq -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-ip-eq.out +# @TEST-EXEC: bro -b -s src-ip-eq-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-ip-eq-nomatch.out +# @TEST-EXEC: bro -b -s src-ip-eq-list -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-ip-eq-list.out + +# @TEST-EXEC: bro -b -s src-ip-ne -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-ip-ne.out +# @TEST-EXEC: bro -b -s src-ip-ne-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-ip-ne-nomatch.out +# @TEST-EXEC: bro -b -s src-ip-ne-list -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-ip-ne-list.out +# @TEST-EXEC: bro -b -s src-ip-ne-list-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-ip-ne-list-nomatch.out + +# @TEST-EXEC: btest-diff src-ip-eq.out +# @TEST-EXEC: btest-diff src-ip-eq-nomatch.out +# @TEST-EXEC: btest-diff src-ip-eq-list.out + +# @TEST-EXEC: btest-diff src-ip-ne.out +# @TEST-EXEC: btest-diff src-ip-ne-nomatch.out +# @TEST-EXEC: btest-diff src-ip-ne-list.out +# @TEST-EXEC: btest-diff src-ip-ne-list-nomatch.out + +@TEST-START-FILE src-ip-eq.sig +signature id { + src-ip == [2001:4f8:4:7:2e0:81ff:fe52:0]/112 + event "src-ip-eq" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-eq-nomatch.sig +signature id { + src-ip == [fe80::0]/16 + event "src-ip-eq-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-eq-list.sig +signature id { + src-ip == 10.0.0.0/8,[fe80::0]/16,[2001:4f8:4:7:2e0:81ff:fe52:0]/112 + event "src-ip-eq-list" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-ne.sig +signature id { + src-ip != [2001:4f8:4:7:2e0:81ff:fe52:0]/120 + event "src-ip-ne" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-ne-nomatch.sig +signature id { + src-ip != [2001:4f8:4:7:2e0:81ff:fe52:0]/112 + event "src-ip-ne-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-ne-list.sig +signature id { + src-ip != 10.0.0.0/8,[fe80::0]/16 + event "src-ip-ne-list" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-ne-list-nomatch.sig +signature id { + src-ip != 10.0.0.0/8,[fe80::1]/16,[2001:4f8:4:7:2e0:81ff:fe52:0]/112 + event "src-ip-ne-list-nomatch" +} +@TEST-END-FILE + +event signature_match(state: signature_state, msg: string, data: string) + { + print fmt("signature_match %s - %s", state$conn$id, msg); + } diff --git a/testing/btest/signatures/src-ip-header-condition-v6.bro b/testing/btest/signatures/src-ip-header-condition-v6.bro new file mode 100644 index 0000000000..613a3dd4c1 --- /dev/null +++ b/testing/btest/signatures/src-ip-header-condition-v6.bro @@ -0,0 +1,71 @@ +# @TEST-EXEC: bro -b -s src-ip-eq -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-ip-eq.out +# @TEST-EXEC: bro -b -s src-ip-eq-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-ip-eq-nomatch.out +# @TEST-EXEC: bro -b -s src-ip-eq-list -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-ip-eq-list.out + +# @TEST-EXEC: bro -b -s src-ip-ne -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-ip-ne.out +# @TEST-EXEC: bro -b -s src-ip-ne-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-ip-ne-nomatch.out +# @TEST-EXEC: bro -b -s src-ip-ne-list -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-ip-ne-list.out +# @TEST-EXEC: bro -b -s src-ip-ne-list-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-ip-ne-list-nomatch.out + +# @TEST-EXEC: btest-diff src-ip-eq.out +# @TEST-EXEC: btest-diff src-ip-eq-nomatch.out +# @TEST-EXEC: btest-diff src-ip-eq-list.out + +# @TEST-EXEC: btest-diff src-ip-ne.out +# @TEST-EXEC: btest-diff src-ip-ne-nomatch.out +# @TEST-EXEC: btest-diff src-ip-ne-list.out +# @TEST-EXEC: btest-diff src-ip-ne-list-nomatch.out + +@TEST-START-FILE src-ip-eq.sig +signature id { + src-ip == [2001:4f8:4:7:2e0:81ff:fe52:ffff] + event "src-ip-eq" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-eq-nomatch.sig +signature id { + src-ip == 10.0.0.1 + event "src-ip-eq-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-eq-list.sig +signature id { + src-ip == 10.0.0.1,10.0.0.2,[fe80::1],[2001:4f8:4:7:2e0:81ff:fe52:ffff] + event "src-ip-eq-list" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-ne.sig +signature id { + src-ip != 10.0.0.1 + event "src-ip-ne" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-ne-nomatch.sig +signature id { + src-ip != [2001:4f8:4:7:2e0:81ff:fe52:ffff] + event "src-ip-ne-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-ne-list.sig +signature id { + src-ip != 10.0.0.1,10.0.0.2,10.0.0.3,[fe80::1] + event "src-ip-ne-list" +} +@TEST-END-FILE + +@TEST-START-FILE src-ip-ne-list-nomatch.sig +signature id { + src-ip != 10.0.0.1,10.0.0.2,10.0.0.3,[fe80::1],[2001:4f8:4:7:2e0:81ff:fe52:ffff] + event "src-ip-ne-list-nomatch" +} +@TEST-END-FILE + +event signature_match(state: signature_state, msg: string, data: string) + { + print fmt("signature_match %s - %s", state$conn$id, msg); + } diff --git a/testing/btest/signatures/src-port-header-condition.bro b/testing/btest/signatures/src-port-header-condition.bro new file mode 100644 index 0000000000..ea9e08ce2b --- /dev/null +++ b/testing/btest/signatures/src-port-header-condition.bro @@ -0,0 +1,164 @@ +# @TEST-EXEC: bro -b -s src-port-eq -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >src-port-eq.out +# @TEST-EXEC: bro -b -s src-port-eq-nomatch -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >src-port-eq-nomatch.out +# @TEST-EXEC: bro -b -s src-port-eq-list -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >src-port-eq-list.out +# @TEST-EXEC: bro -b -s src-port-eq -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-eq-ip6.out + +# @TEST-EXEC: bro -b -s src-port-ne -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-ne.out +# @TEST-EXEC: bro -b -s src-port-ne-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-ne-nomatch.out +# @TEST-EXEC: bro -b -s src-port-ne-list -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-ne-list.out +# @TEST-EXEC: bro -b -s src-port-ne-list-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-ne-list-nomatch.out + +# @TEST-EXEC: bro -b -s src-port-lt -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-lt.out +# @TEST-EXEC: bro -b -s src-port-lt-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-lt-nomatch.out +# @TEST-EXEC: bro -b -s src-port-lte1 -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-lte1.out +# @TEST-EXEC: bro -b -s src-port-lte2 -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-lte2.out +# @TEST-EXEC: bro -b -s src-port-lte-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-lte-nomatch.out + +# @TEST-EXEC: bro -b -s src-port-gt -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-gt.out +# @TEST-EXEC: bro -b -s src-port-gt-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-gt-nomatch.out +# @TEST-EXEC: bro -b -s src-port-gte1 -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-gte1.out +# @TEST-EXEC: bro -b -s src-port-gte2 -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-gte2.out +# @TEST-EXEC: bro -b -s src-port-gte-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-gte-nomatch.out + +# @TEST-EXEC: btest-diff src-port-eq.out +# @TEST-EXEC: btest-diff src-port-eq-nomatch.out +# @TEST-EXEC: btest-diff src-port-eq-list.out +# @TEST-EXEC: btest-diff src-port-eq-ip6.out +# @TEST-EXEC: btest-diff src-port-ne.out +# @TEST-EXEC: btest-diff src-port-ne-nomatch.out +# @TEST-EXEC: btest-diff src-port-ne-list.out +# @TEST-EXEC: btest-diff src-port-ne-list-nomatch.out +# @TEST-EXEC: btest-diff src-port-lt.out +# @TEST-EXEC: btest-diff src-port-lt-nomatch.out +# @TEST-EXEC: btest-diff src-port-lte1.out +# @TEST-EXEC: btest-diff src-port-lte2.out +# @TEST-EXEC: btest-diff src-port-lte-nomatch.out +# @TEST-EXEC: btest-diff src-port-gt.out +# @TEST-EXEC: btest-diff src-port-gt-nomatch.out +# @TEST-EXEC: btest-diff src-port-gte1.out +# @TEST-EXEC: btest-diff src-port-gte2.out +# @TEST-EXEC: btest-diff src-port-gte-nomatch.out + +@TEST-START-FILE src-port-eq.sig +signature id { + src-port == 30000 + event "src-port-eq" +} +@TEST-END-FILE + +@TEST-START-FILE src-port-eq-nomatch.sig +signature id { + src-port == 22 + event "src-port-eq-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE src-port-eq-list.sig +signature id { + src-port == 22,23,24,30000 + event "src-port-eq-list" +} +@TEST-END-FILE + +@TEST-START-FILE src-port-ne.sig +signature id { + src-port != 22 + event "src-port-ne" +} +@TEST-END-FILE + +@TEST-START-FILE src-port-ne-nomatch.sig +signature id { + src-port != 30000 + event "src-port-ne-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE src-port-ne-list.sig +signature id { + src-port != 22,23,24,25 + event "src-port-ne-list" +} +@TEST-END-FILE + +@TEST-START-FILE src-port-ne-list-nomatch.sig +signature id { + src-port != 22,23,24,25,30000 + event "src-port-ne-list-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE src-port-lt.sig +signature id { + src-port < 30001 + event "src-port-lt" +} +@TEST-END-FILE + +@TEST-START-FILE src-port-lt-nomatch.sig +signature id { + src-port < 30000 + event "src-port-lt-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE src-port-lte1.sig +signature id { + src-port <= 30000 + event "src-port-lte1" +} +@TEST-END-FILE + +@TEST-START-FILE src-port-lte2.sig +signature id { + src-port <= 30001 + event "src-port-lte2" +} +@TEST-END-FILE + +@TEST-START-FILE src-port-lte-nomatch.sig +signature id { + src-port <= 29999 + event "src-port-lte-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE src-port-gt.sig +signature id { + src-port > 29999 + event "src-port-gt" +} +@TEST-END-FILE + +@TEST-START-FILE src-port-gt-nomatch.sig +signature id { + src-port > 30000 + event "src-port-gt-nomatch" +} +@TEST-END-FILE + +@TEST-START-FILE src-port-gte1.sig +signature id { + src-port >= 30000 + event "src-port-gte1" +} +@TEST-END-FILE + +@TEST-START-FILE src-port-gte2.sig +signature id { + src-port >= 29999 + event "src-port-gte2" +} +@TEST-END-FILE + +@TEST-START-FILE src-port-gte-nomatch.sig +signature id { + src-port >= 30001 + event "src-port-gte-nomatch" +} +@TEST-END-FILE + +event signature_match(state: signature_state, msg: string, data: string) + { + print fmt("signature_match %s - %s", state$conn$id, msg); + }