]>
Commit | Line | Data |
---|---|---|
a2b502a3 | 1 | /* Copyright (C) 2007-2013 Open Information Security Foundation |
2eef905c WM |
2 | * |
3 | * You can copy, redistribute or modify this Program under the terms of | |
4 | * the GNU General Public License version 2 as published by the Free | |
5 | * Software Foundation. | |
6 | * | |
7 | * This program is distributed in the hope that it will be useful, | |
8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
10 | * GNU General Public License for more details. | |
11 | * | |
12 | * You should have received a copy of the GNU General Public License | |
13 | * version 2 along with this program; if not, write to the Free Software | |
14 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | |
15 | * 02110-1301, USA. | |
16 | */ | |
17 | ||
12386689 | 18 | /** |
2eef905c WM |
19 | * \file |
20 | * | |
12386689 PR |
21 | * \author Pablo Rincon <pablo.rincon.crespo@gmail.com> |
22 | */ | |
2eef905c | 23 | |
12386689 PR |
24 | #include "suricata-common.h" |
25 | ||
26 | #include "action-globals.h" | |
27 | #include "conf.h" | |
28 | #include "conf-yaml-loader.h" | |
29 | ||
30 | #include "detect.h" | |
31 | #include "detect-engine.h" | |
32 | #include "detect-engine-sigorder.h" | |
33 | ||
34 | #include "util-unittest.h" | |
35 | #include "util-action.h" | |
36 | #include "util-unittest-helper.h" | |
37 | #include "util-debug.h" | |
38 | ||
39 | /* Default order: */ | |
40 | uint8_t action_order_sigs[4] = {ACTION_PASS, ACTION_DROP, ACTION_REJECT, ACTION_ALERT}; | |
41 | /* This order can be changed from config */ | |
42 | ||
43 | /** | |
44 | * \brief Return the priority associated to an action (to order sigs | |
45 | * as specified at config) | |
46 | * action_order_sigs has this priority by index val | |
47 | * so action_order_sigs[0] has to be inspected first. | |
48 | * This function is called from detect-engine-sigorder | |
49 | * \param action can be one of ACTION_PASS, ACTION_DROP, | |
50 | * ACTION_REJECT or ACTION_ALERT | |
51 | * \retval uint8_t the priority (order of this actions) | |
52 | */ | |
a2b502a3 KS |
53 | uint8_t ActionOrderVal(uint8_t action) |
54 | { | |
12386689 | 55 | /* reject_both and reject_dst have the same prio as reject */ |
8ae11f73 L |
56 | if( (action & ACTION_REJECT) || |
57 | (action & ACTION_REJECT_BOTH) || | |
58 | (action & ACTION_REJECT_DST)) { | |
12386689 PR |
59 | action = ACTION_REJECT; |
60 | } | |
61 | uint8_t i = 0; | |
62 | for (; i < 4; i++) { | |
63 | if (action_order_sigs[i] == action) | |
64 | return i; | |
65 | } | |
66 | /* Unknown action, set just a low prio (high val) */ | |
67 | return 10; | |
68 | } | |
69 | ||
70 | /** | |
71 | * \brief Return the ACTION_* bit from their ascii value | |
72 | * \param action can be one of "pass", "drop", | |
73 | * "reject" or "alert" | |
74 | * \retval uint8_t can be one of ACTION_PASS, ACTION_DROP, | |
75 | * ACTION_REJECT or ACTION_ALERT | |
76 | */ | |
ab1200fb | 77 | static uint8_t ActionAsciiToFlag(const char *action) |
a2b502a3 | 78 | { |
12386689 PR |
79 | if (strcmp(action,"pass") == 0) |
80 | return ACTION_PASS; | |
81 | if (strcmp(action,"drop") == 0) | |
82 | return ACTION_DROP; | |
83 | if (strcmp(action,"reject") == 0) | |
84 | return ACTION_REJECT; | |
85 | if (strcmp(action,"alert") == 0) | |
86 | return ACTION_ALERT; | |
87 | ||
88 | return 0; | |
89 | } | |
90 | ||
91 | /** | |
92 | * \brief Load the action order from config. If none is provided, | |
93 | * it will be default to ACTION_PASS, ACTION_DROP, | |
94 | * ACTION_REJECT, ACTION_ALERT (pass has the highest prio) | |
f5af4c9c AS |
95 | * |
96 | * \retval 0 on success; -1 on fatal error; | |
12386689 | 97 | */ |
a2b502a3 KS |
98 | int ActionInitConfig() |
99 | { | |
12386689 PR |
100 | uint8_t actions_used = 0; |
101 | uint8_t action_flag = 0; | |
102 | uint8_t actions_config[4] = {0, 0, 0, 0}; | |
103 | int order = 0; | |
104 | ||
105 | ConfNode *action_order; | |
106 | ConfNode *action = NULL; | |
107 | ||
108 | /* Let's load the order of actions from the general config */ | |
109 | action_order = ConfGetNode("action-order"); | |
2e5292e2 JI |
110 | if (action_order == NULL) { |
111 | /* No configuration, use defaults. */ | |
112 | return 0; | |
113 | } | |
114 | else { | |
12386689 PR |
115 | TAILQ_FOREACH(action, &action_order->head, next) { |
116 | SCLogDebug("Loading action order : %s", action->val); | |
117 | action_flag = ActionAsciiToFlag(action->val); | |
118 | if (action_flag == 0) { | |
119 | SCLogError(SC_ERR_ACTION_ORDER, "action-order, invalid action: \"%s\". Please, use" | |
120 | " \"pass\",\"drop\",\"alert\",\"reject\". You have" | |
121 | " to specify all of them, without quotes and without" | |
122 | " capital letters", action->val); | |
f5af4c9c | 123 | goto error; |
12386689 PR |
124 | } |
125 | ||
126 | if (actions_used & action_flag) { | |
127 | SCLogError(SC_ERR_ACTION_ORDER, "action-order, action already set: \"%s\". Please," | |
128 | " use \"pass\",\"drop\",\"alert\",\"reject\". You" | |
129 | " have to specify all of them, without quotes and" | |
130 | " without capital letters", action->val); | |
f5af4c9c | 131 | goto error; |
12386689 PR |
132 | } |
133 | ||
134 | if (order >= 4) { | |
135 | SCLogError(SC_ERR_ACTION_ORDER, "action-order, you have already specified all the " | |
136 | "possible actions plus \"%s\". Please, use \"pass\"," | |
137 | "\"drop\",\"alert\",\"reject\". You have to specify" | |
138 | " all of them, without quotes and without capital" | |
139 | " letters", action->val); | |
f5af4c9c | 140 | goto error; |
12386689 PR |
141 | } |
142 | actions_used |= action_flag; | |
143 | actions_config[order++] = action_flag; | |
144 | } | |
145 | } | |
146 | if (order < 4) { | |
147 | SCLogError(SC_ERR_ACTION_ORDER, "action-order, the config didn't specify all of the " | |
148 | "actions. Please, use \"pass\",\"drop\",\"alert\"," | |
149 | "\"reject\". You have to specify all of them, without" | |
150 | " quotes and without capital letters"); | |
f5af4c9c | 151 | goto error; |
12386689 PR |
152 | } |
153 | ||
154 | /* Now, it's a valid config. Override the default preset */ | |
155 | for (order = 0; order < 4; order++) { | |
156 | action_order_sigs[order] = actions_config[order]; | |
157 | } | |
f5af4c9c AS |
158 | |
159 | return 0; | |
160 | ||
161 | error: | |
162 | return -1; | |
12386689 PR |
163 | } |
164 | ||
165 | #ifdef UNITTESTS | |
12386689 PR |
166 | |
167 | /** | |
168 | * \test Check that we invalidate duplicated actions | |
169 | * (It should default to pass, drop, reject, alert) | |
170 | */ | |
ab1200fb | 171 | static int UtilActionTest01(void) |
12386689 PR |
172 | { |
173 | int res = 1; | |
174 | char config[] = "\ | |
175 | %YAML 1.1\n\ | |
176 | ---\n\ | |
177 | action-order:\n\ | |
178 | - alert\n\ | |
179 | - drop\n\ | |
180 | - reject\n\ | |
181 | - alert\n"; | |
182 | ||
183 | ConfCreateContextBackup(); | |
184 | ConfInit(); | |
185 | ConfYamlLoadString(config, strlen(config)); | |
186 | ||
187 | ActionInitConfig(); | |
188 | if (action_order_sigs[0] != ACTION_PASS || | |
189 | action_order_sigs[1] != ACTION_DROP || | |
190 | action_order_sigs[2] != ACTION_REJECT || | |
191 | action_order_sigs[3] != ACTION_ALERT) | |
192 | { | |
193 | res = 0; | |
194 | } | |
195 | ConfRestoreContextBackup(); | |
196 | ||
197 | /* Restore default values */ | |
198 | action_order_sigs[0] = ACTION_PASS; | |
199 | action_order_sigs[1] = ACTION_DROP; | |
200 | action_order_sigs[2] = ACTION_REJECT; | |
201 | action_order_sigs[3] = ACTION_ALERT; | |
202 | return res; | |
203 | } | |
204 | ||
205 | /** | |
206 | * \test Check that we invalidate with unknown keywords | |
207 | * (It should default to pass, drop, reject, alert) | |
208 | */ | |
ab1200fb | 209 | static int UtilActionTest02(void) |
12386689 PR |
210 | { |
211 | int res = 1; | |
212 | char config[] = "\ | |
213 | %YAML 1.1\n\ | |
214 | ---\n\ | |
215 | action-order:\n\ | |
216 | - alert\n\ | |
217 | - drop\n\ | |
218 | - reject\n\ | |
219 | - ftw\n"; | |
220 | ||
221 | ConfCreateContextBackup(); | |
222 | ConfInit(); | |
223 | ConfYamlLoadString(config, strlen(config)); | |
224 | ||
225 | ActionInitConfig(); | |
226 | if (action_order_sigs[0] != ACTION_PASS || | |
227 | action_order_sigs[1] != ACTION_DROP || | |
228 | action_order_sigs[2] != ACTION_REJECT || | |
229 | action_order_sigs[3] != ACTION_ALERT) | |
230 | { | |
231 | res = 0; | |
232 | } | |
233 | ConfRestoreContextBackup(); | |
234 | ||
235 | /* Restore default values */ | |
236 | action_order_sigs[0] = ACTION_PASS; | |
237 | action_order_sigs[1] = ACTION_DROP; | |
238 | action_order_sigs[2] = ACTION_REJECT; | |
239 | action_order_sigs[3] = ACTION_ALERT; | |
240 | return res; | |
241 | } | |
242 | ||
243 | /** | |
244 | * \test Check that we invalidate if any action is missing | |
245 | * (It should default to pass, drop, reject, alert) | |
246 | */ | |
ab1200fb | 247 | static int UtilActionTest03(void) |
12386689 PR |
248 | { |
249 | int res = 1; | |
250 | char config[] = "\ | |
251 | %YAML 1.1\n\ | |
252 | ---\n\ | |
253 | action-order:\n\ | |
254 | - alert\n\ | |
255 | - drop\n\ | |
256 | - reject\n"; | |
257 | ||
258 | ConfCreateContextBackup(); | |
259 | ConfInit(); | |
260 | ConfYamlLoadString(config, strlen(config)); | |
261 | ||
262 | ActionInitConfig(); | |
263 | if (action_order_sigs[0] != ACTION_PASS || | |
264 | action_order_sigs[1] != ACTION_DROP || | |
265 | action_order_sigs[2] != ACTION_REJECT || | |
266 | action_order_sigs[3] != ACTION_ALERT) | |
267 | { | |
268 | res = 0; | |
269 | } | |
270 | ConfRestoreContextBackup(); | |
271 | ||
272 | /* Restore default values */ | |
273 | action_order_sigs[0] = ACTION_PASS; | |
274 | action_order_sigs[1] = ACTION_DROP; | |
275 | action_order_sigs[2] = ACTION_REJECT; | |
276 | action_order_sigs[3] = ACTION_ALERT; | |
277 | return res; | |
278 | } | |
279 | ||
280 | /** | |
281 | * \test Check that we invalidate if any action is missing | |
282 | * (It should default to pass, drop, reject, alert) | |
283 | */ | |
ab1200fb | 284 | static int UtilActionTest04(void) |
12386689 PR |
285 | { |
286 | int res = 1; | |
287 | char config[] = "\ | |
288 | %YAML 1.1\n\ | |
289 | ---\n\ | |
290 | action-order:\n"; | |
291 | ||
292 | ConfCreateContextBackup(); | |
293 | ConfInit(); | |
294 | ConfYamlLoadString(config, strlen(config)); | |
295 | ||
296 | ActionInitConfig(); | |
297 | if (action_order_sigs[0] != ACTION_PASS || | |
298 | action_order_sigs[1] != ACTION_DROP || | |
299 | action_order_sigs[2] != ACTION_REJECT || | |
300 | action_order_sigs[3] != ACTION_ALERT) | |
301 | { | |
302 | res = 0; | |
303 | } | |
304 | ConfRestoreContextBackup(); | |
305 | ||
306 | /* Restore default values */ | |
307 | action_order_sigs[0] = ACTION_PASS; | |
308 | action_order_sigs[1] = ACTION_DROP; | |
309 | action_order_sigs[2] = ACTION_REJECT; | |
310 | action_order_sigs[3] = ACTION_ALERT; | |
311 | return res; | |
312 | } | |
313 | ||
314 | /** | |
315 | * \test Check that we invalidate with unknown keywords | |
316 | * and/or more than the expected | |
317 | * (It should default to pass, drop, reject, alert) | |
318 | */ | |
ab1200fb | 319 | static int UtilActionTest05(void) |
12386689 PR |
320 | { |
321 | int res = 1; | |
322 | char config[] = "\ | |
323 | %YAML 1.1\n\ | |
324 | ---\n\ | |
325 | action-order:\n\ | |
326 | - alert\n\ | |
327 | - drop\n\ | |
328 | - reject\n\ | |
329 | - pass\n\ | |
330 | - whatever\n"; | |
331 | ||
332 | ConfCreateContextBackup(); | |
333 | ConfInit(); | |
334 | ConfYamlLoadString(config, strlen(config)); | |
335 | ||
336 | ActionInitConfig(); | |
337 | if (action_order_sigs[0] != ACTION_PASS || | |
338 | action_order_sigs[1] != ACTION_DROP || | |
339 | action_order_sigs[2] != ACTION_REJECT || | |
340 | action_order_sigs[3] != ACTION_ALERT) | |
341 | { | |
342 | res = 0; | |
343 | } | |
344 | ConfRestoreContextBackup(); | |
345 | ||
346 | /* Restore default values */ | |
347 | action_order_sigs[0] = ACTION_PASS; | |
348 | action_order_sigs[1] = ACTION_DROP; | |
349 | action_order_sigs[2] = ACTION_REJECT; | |
350 | action_order_sigs[3] = ACTION_ALERT; | |
351 | return res; | |
352 | } | |
353 | ||
354 | /** | |
355 | * \test Check that we load a valid config | |
356 | */ | |
ab1200fb | 357 | static int UtilActionTest06(void) |
12386689 PR |
358 | { |
359 | int res = 1; | |
360 | char config[] = "\ | |
361 | %YAML 1.1\n\ | |
362 | ---\n\ | |
363 | action-order:\n\ | |
364 | - alert\n\ | |
365 | - drop\n\ | |
366 | - reject\n\ | |
367 | - pass\n"; | |
368 | ||
369 | ConfCreateContextBackup(); | |
370 | ConfInit(); | |
371 | ConfYamlLoadString(config, strlen(config)); | |
372 | ||
373 | ActionInitConfig(); | |
374 | if (action_order_sigs[0] != ACTION_ALERT || | |
375 | action_order_sigs[1] != ACTION_DROP || | |
376 | action_order_sigs[2] != ACTION_REJECT || | |
377 | action_order_sigs[3] != ACTION_PASS) | |
378 | { | |
379 | res = 0; | |
380 | } | |
381 | ConfRestoreContextBackup(); | |
382 | ||
383 | /* Restore default values */ | |
384 | action_order_sigs[0] = ACTION_PASS; | |
385 | action_order_sigs[1] = ACTION_DROP; | |
386 | action_order_sigs[2] = ACTION_REJECT; | |
387 | action_order_sigs[3] = ACTION_ALERT; | |
388 | return res; | |
389 | } | |
390 | ||
391 | /** | |
392 | * \test Check that we load a valid config | |
393 | */ | |
ab1200fb | 394 | static int UtilActionTest07(void) |
12386689 PR |
395 | { |
396 | int res = 1; | |
397 | char config[] = "\ | |
398 | %YAML 1.1\n\ | |
399 | ---\n\ | |
400 | action-order:\n\ | |
401 | - pass\n\ | |
402 | - alert\n\ | |
403 | - drop\n\ | |
404 | - reject\n"; | |
405 | ||
406 | ConfCreateContextBackup(); | |
407 | ConfInit(); | |
408 | ConfYamlLoadString(config, strlen(config)); | |
409 | ||
410 | ActionInitConfig(); | |
411 | if (action_order_sigs[0] != ACTION_PASS || | |
412 | action_order_sigs[1] != ACTION_ALERT || | |
413 | action_order_sigs[2] != ACTION_DROP || | |
414 | action_order_sigs[3] != ACTION_REJECT) | |
415 | { | |
416 | res = 0; | |
417 | } | |
418 | ConfRestoreContextBackup(); | |
419 | ||
420 | /* Restore default values */ | |
421 | action_order_sigs[0] = ACTION_PASS; | |
422 | action_order_sigs[1] = ACTION_DROP; | |
423 | action_order_sigs[2] = ACTION_REJECT; | |
424 | action_order_sigs[3] = ACTION_ALERT; | |
425 | return res; | |
426 | } | |
427 | ||
428 | /** | |
429 | * \test Check that we handle the "pass" action | |
430 | * correctly at the IP Only engine in the default case | |
431 | */ | |
ab1200fb | 432 | static int UtilActionTest08(void) |
12386689 PR |
433 | { |
434 | int res = 0; | |
435 | uint8_t *buf = (uint8_t *)"Hi all!"; | |
436 | uint16_t buflen = strlen((char *)buf); | |
437 | Packet *p[3]; | |
438 | p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
439 | "192.168.1.5", "192.168.1.1", | |
440 | 41424, 80); | |
441 | p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
442 | "192.168.1.1", "192.168.1.5", | |
443 | 80, 41424); | |
444 | p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
445 | "192.168.1.5", "192.168.1.1", | |
446 | 41424, 80); | |
447 | ||
448 | if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) | |
449 | goto end; | |
450 | ||
ab1200fb | 451 | const char *sigs[3]; |
12386689 PR |
452 | sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; sid:1;)"; |
453 | sigs[1]= "pass ip 192.168.1.1 80 -> any any (msg:\"sig 2\"; sid:2;)"; | |
454 | sigs[2]= "alert ip any any -> any any (msg:\"sig 3\"; sid:3;)"; | |
455 | ||
456 | uint32_t sid[3] = {1, 2, 3}; | |
457 | ||
458 | uint32_t results[3][3] = { | |
459 | {1, 0, 1}, | |
460 | {0, 0, 0}, | |
461 | {1, 0, 1} }; | |
462 | /* This means that with the second packet, the results will be | |
463 | * all ({0,0,0}) since, we should match the "pass" rule first | |
464 | */ | |
465 | ||
466 | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); | |
467 | if (de_ctx == NULL) | |
468 | goto cleanup; | |
469 | de_ctx->flags |= DE_QUIET; | |
470 | ||
471 | if (UTHAppendSigs(de_ctx, sigs, 3) == 0) | |
472 | goto cleanup; | |
473 | ||
474 | SCSigRegisterSignatureOrderingFuncs(de_ctx); | |
475 | SCSigOrderSignatures(de_ctx); | |
476 | ||
12386689 PR |
477 | res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); |
478 | ||
479 | cleanup: | |
480 | UTHFreePackets(p, 3); | |
481 | ||
482 | if (de_ctx != NULL) { | |
483 | SigGroupCleanup(de_ctx); | |
484 | SigCleanSignatures(de_ctx); | |
485 | DetectEngineCtxFree(de_ctx); | |
486 | } | |
487 | ||
488 | end: | |
489 | return res; | |
490 | } | |
491 | ||
492 | /** | |
493 | * \test Check that we handle the "pass" action | |
494 | * correctly at the IP Only engine with more | |
495 | * prio to drop | |
496 | */ | |
ab1200fb | 497 | static int UtilActionTest09(void) |
12386689 PR |
498 | { |
499 | int res = 1; | |
500 | uint8_t *buf = (uint8_t *)"Hi all!"; | |
501 | uint16_t buflen = strlen((char *)buf); | |
502 | Packet *p[3]; | |
503 | ||
504 | action_order_sigs[0] = ACTION_DROP; | |
505 | action_order_sigs[1] = ACTION_PASS; | |
506 | action_order_sigs[2] = ACTION_REJECT; | |
507 | action_order_sigs[3] = ACTION_ALERT; | |
508 | ||
509 | p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
510 | "192.168.1.5", "192.168.1.1", | |
511 | 41424, 80); | |
512 | p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
513 | "192.168.1.1", "192.168.1.5", | |
514 | 80, 41424); | |
515 | p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
516 | "192.168.1.5", "192.168.1.1", | |
517 | 41424, 80); | |
518 | ||
519 | if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) | |
520 | goto end; | |
521 | ||
ab1200fb | 522 | const char *sigs[3]; |
12386689 PR |
523 | sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; sid:1;)"; |
524 | sigs[1]= "pass ip 192.168.1.1 80 -> any any (msg:\"sig 2\"; sid:2;)"; | |
525 | sigs[2]= "drop ip any any -> any any (msg:\"sig 3\"; sid:3;)"; | |
526 | ||
527 | uint32_t sid[3] = {1, 2, 3}; | |
528 | ||
529 | uint32_t results[3][3] = { | |
530 | {1, 0, 1}, | |
531 | {0, 0, 1}, | |
532 | {1, 0, 1} }; | |
533 | /* This means that with the second packet, the results will be | |
534 | * all ({0,0,1}) since, we should match the "drop" rule first. | |
535 | * Later the "pass" rule will avoid the "alert" rule match | |
536 | */ | |
537 | ||
538 | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); | |
539 | if (de_ctx == NULL) | |
540 | goto cleanup; | |
541 | de_ctx->flags |= DE_QUIET; | |
542 | ||
543 | if (UTHAppendSigs(de_ctx, sigs, 3) == 0) | |
544 | goto cleanup; | |
545 | ||
546 | SCSigRegisterSignatureOrderingFuncs(de_ctx); | |
547 | SCSigOrderSignatures(de_ctx); | |
548 | ||
12386689 PR |
549 | res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); |
550 | ||
551 | cleanup: | |
552 | UTHFreePackets(p, 3); | |
553 | ||
554 | if (de_ctx != NULL) { | |
555 | SigGroupCleanup(de_ctx); | |
556 | SigCleanSignatures(de_ctx); | |
557 | DetectEngineCtxFree(de_ctx); | |
558 | } | |
559 | ||
560 | end: | |
561 | /* Restore default values */ | |
562 | action_order_sigs[0] = ACTION_PASS; | |
563 | action_order_sigs[1] = ACTION_DROP; | |
564 | action_order_sigs[2] = ACTION_REJECT; | |
565 | action_order_sigs[3] = ACTION_ALERT; | |
566 | return res; | |
567 | } | |
568 | ||
569 | /** | |
570 | * \test Check that we handle the "pass" action | |
571 | * correctly at the detection engine in the default case | |
572 | */ | |
ab1200fb | 573 | static int UtilActionTest10(void) |
12386689 PR |
574 | { |
575 | int res = 0; | |
576 | uint8_t *buf = (uint8_t *)"Hi all!"; | |
577 | uint16_t buflen = strlen((char *)buf); | |
578 | uint8_t *buf2 = (uint8_t *)"wo!"; | |
579 | uint16_t buflen2 = strlen((char *)buf2); | |
580 | Packet *p[3]; | |
581 | p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
582 | "192.168.1.5", "192.168.1.1", | |
583 | 41424, 80); | |
584 | p[1] = UTHBuildPacketReal((uint8_t *)buf2, buflen2, IPPROTO_TCP, | |
585 | "192.168.1.1", "192.168.1.5", | |
586 | 80, 41424); | |
587 | p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
588 | "192.168.1.5", "192.168.1.1", | |
589 | 41424, 80); | |
590 | ||
591 | if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) | |
592 | goto end; | |
593 | ||
ab1200fb | 594 | const char *sigs[3]; |
7433d92d AS |
595 | sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)"; |
596 | sigs[1]= "pass ip any any -> any any (msg:\"sig 2\"; content:\"wo\"; sid:2;)"; | |
597 | sigs[2]= "alert ip any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)"; | |
12386689 PR |
598 | |
599 | uint32_t sid[3] = {1, 2, 3}; | |
600 | ||
601 | uint32_t results[3][3] = { | |
602 | {1, 0, 1}, | |
603 | {0, 0, 0}, | |
604 | {1, 0, 1} }; | |
605 | /* This means that with the second packet, the results will be | |
606 | * all ({0,0,0}) since, we should match the "pass" rule first | |
607 | */ | |
608 | ||
609 | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); | |
610 | if (de_ctx == NULL) | |
611 | goto cleanup; | |
612 | de_ctx->flags |= DE_QUIET; | |
613 | ||
614 | if (UTHAppendSigs(de_ctx, sigs, 3) == 0) | |
615 | goto cleanup; | |
616 | ||
617 | SCSigRegisterSignatureOrderingFuncs(de_ctx); | |
618 | SCSigOrderSignatures(de_ctx); | |
619 | ||
12386689 PR |
620 | res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); |
621 | ||
622 | cleanup: | |
623 | UTHFreePackets(p, 3); | |
624 | ||
625 | if (de_ctx != NULL) { | |
626 | SigGroupCleanup(de_ctx); | |
627 | SigCleanSignatures(de_ctx); | |
628 | DetectEngineCtxFree(de_ctx); | |
629 | } | |
630 | ||
631 | end: | |
632 | return res; | |
633 | } | |
634 | ||
635 | /** | |
636 | * \test Check that we handle the "pass" action | |
637 | * correctly at the detection engine with more | |
638 | * prio to drop | |
639 | */ | |
ab1200fb | 640 | static int UtilActionTest11(void) |
12386689 PR |
641 | { |
642 | int res = 1; | |
643 | uint8_t *buf = (uint8_t *)"Hi all!"; | |
644 | uint16_t buflen = strlen((char *)buf); | |
645 | uint8_t *buf2 = (uint8_t *)"Hi all wo!"; | |
646 | uint16_t buflen2 = strlen((char *)buf2); | |
647 | Packet *p[3]; | |
648 | ||
649 | action_order_sigs[0] = ACTION_DROP; | |
650 | action_order_sigs[1] = ACTION_PASS; | |
651 | action_order_sigs[2] = ACTION_REJECT; | |
652 | action_order_sigs[3] = ACTION_ALERT; | |
653 | ||
654 | p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
655 | "192.168.1.5", "192.168.1.1", | |
656 | 41424, 80); | |
657 | p[1] = UTHBuildPacketReal((uint8_t *)buf2, buflen2, IPPROTO_TCP, | |
658 | "192.168.1.1", "192.168.1.5", | |
659 | 80, 41424); | |
660 | p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
661 | "192.168.1.5", "192.168.1.1", | |
662 | 41424, 80); | |
663 | ||
664 | if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) | |
665 | goto end; | |
666 | ||
ab1200fb | 667 | const char *sigs[3]; |
7433d92d AS |
668 | sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)"; |
669 | sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"wo\"; sid:2;)"; | |
670 | sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)"; | |
12386689 PR |
671 | |
672 | uint32_t sid[3] = {1, 2, 3}; | |
673 | ||
674 | uint32_t results[3][3] = { | |
675 | {1, 0, 1}, | |
676 | {0, 0, 1}, | |
677 | {1, 0, 1} }; | |
678 | /* This means that with the second packet, the results will be | |
679 | * all ({0,0,1}) since, we should match the "drop" rule first. | |
680 | * Later the "pass" rule will avoid the "alert" rule match | |
681 | */ | |
682 | ||
683 | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); | |
684 | if (de_ctx == NULL) | |
685 | goto cleanup; | |
686 | de_ctx->flags |= DE_QUIET; | |
687 | ||
688 | if (UTHAppendSigs(de_ctx, sigs, 3) == 0) | |
689 | goto cleanup; | |
690 | ||
691 | SCSigRegisterSignatureOrderingFuncs(de_ctx); | |
692 | SCSigOrderSignatures(de_ctx); | |
693 | ||
12386689 PR |
694 | res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); |
695 | ||
696 | cleanup: | |
697 | UTHFreePackets(p, 3); | |
698 | ||
699 | if (de_ctx != NULL) { | |
700 | SigGroupCleanup(de_ctx); | |
701 | SigCleanSignatures(de_ctx); | |
702 | DetectEngineCtxFree(de_ctx); | |
703 | } | |
704 | ||
705 | end: | |
706 | /* Restore default values */ | |
707 | action_order_sigs[0] = ACTION_PASS; | |
708 | action_order_sigs[1] = ACTION_DROP; | |
709 | action_order_sigs[2] = ACTION_REJECT; | |
710 | action_order_sigs[3] = ACTION_ALERT; | |
711 | return res; | |
712 | } | |
713 | ||
714 | /** | |
715 | * \test Check that we handle the "pass" action | |
716 | * correctly at the detection engine in the default case | |
717 | */ | |
ab1200fb | 718 | static int UtilActionTest12(void) |
12386689 PR |
719 | { |
720 | int res = 0; | |
721 | uint8_t *buf = (uint8_t *)"Hi all!"; | |
722 | uint16_t buflen = strlen((char *)buf); | |
723 | Packet *p[3]; | |
724 | p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
725 | "192.168.1.5", "192.168.1.1", | |
726 | 41424, 80); | |
727 | p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
728 | "192.168.1.1", "192.168.1.5", | |
729 | 80, 41424); | |
730 | p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
731 | "192.168.1.5", "192.168.1.1", | |
732 | 41424, 80); | |
733 | ||
734 | if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) | |
735 | goto end; | |
736 | ||
ab1200fb | 737 | const char *sigs[3]; |
12386689 PR |
738 | sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; sid:1;)"; |
739 | sigs[1]= "pass ip any any -> any any (msg:\"Testing normal 2\"; sid:2;)"; | |
740 | sigs[2]= "alert ip any any -> any any (msg:\"sig 3\"; sid:3;)"; | |
741 | ||
742 | uint32_t sid[3] = {1, 2, 3}; | |
743 | ||
744 | uint32_t results[3][3] = { | |
745 | {0, 0, 0}, | |
746 | {0, 0, 0}, | |
747 | {0, 0, 0} }; | |
748 | /* All should match the 3 sigs, but the action pass has prio */ | |
749 | ||
750 | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); | |
751 | if (de_ctx == NULL) | |
752 | goto cleanup; | |
753 | de_ctx->flags |= DE_QUIET; | |
754 | ||
755 | if (UTHAppendSigs(de_ctx, sigs, 3) == 0) | |
756 | goto cleanup; | |
757 | ||
758 | SCSigRegisterSignatureOrderingFuncs(de_ctx); | |
759 | SCSigOrderSignatures(de_ctx); | |
760 | ||
12386689 PR |
761 | res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); |
762 | ||
763 | cleanup: | |
764 | UTHFreePackets(p, 3); | |
765 | ||
766 | if (de_ctx != NULL) { | |
767 | SigGroupCleanup(de_ctx); | |
768 | SigCleanSignatures(de_ctx); | |
769 | DetectEngineCtxFree(de_ctx); | |
770 | } | |
771 | ||
772 | end: | |
773 | return res; | |
774 | } | |
775 | ||
776 | /** | |
777 | * \test Check that we handle the "pass" action | |
778 | * correctly at the detection engine with more | |
779 | * prio to drop | |
780 | */ | |
ab1200fb | 781 | static int UtilActionTest13(void) |
12386689 PR |
782 | { |
783 | int res = 1; | |
784 | uint8_t *buf = (uint8_t *)"Hi all!"; | |
785 | uint16_t buflen = strlen((char *)buf); | |
786 | Packet *p[3]; | |
787 | ||
788 | action_order_sigs[0] = ACTION_DROP; | |
789 | action_order_sigs[1] = ACTION_PASS; | |
790 | action_order_sigs[2] = ACTION_REJECT; | |
791 | action_order_sigs[3] = ACTION_ALERT; | |
792 | ||
793 | p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
794 | "192.168.1.5", "192.168.1.1", | |
795 | 41424, 80); | |
796 | p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
797 | "192.168.1.1", "192.168.1.5", | |
798 | 80, 41424); | |
799 | p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
800 | "192.168.1.5", "192.168.1.1", | |
801 | 41424, 80); | |
802 | ||
803 | if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) | |
804 | goto end; | |
805 | ||
ab1200fb | 806 | const char *sigs[3]; |
7433d92d AS |
807 | sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)"; |
808 | sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; | |
809 | sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)"; | |
12386689 PR |
810 | |
811 | uint32_t sid[3] = {1, 2, 3}; | |
812 | ||
813 | uint32_t results[3][3] = { | |
814 | {0, 0, 1}, | |
815 | {0, 0, 1}, | |
816 | {0, 0, 1} }; | |
817 | /* All the patckets should match the 3 sigs. As drop has more | |
818 | * priority than pass, it should alert on each packet */ | |
819 | ||
820 | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); | |
821 | if (de_ctx == NULL) | |
822 | goto cleanup; | |
823 | de_ctx->flags |= DE_QUIET; | |
824 | ||
825 | if (UTHAppendSigs(de_ctx, sigs, 3) == 0) | |
826 | goto cleanup; | |
827 | ||
828 | SCSigRegisterSignatureOrderingFuncs(de_ctx); | |
829 | SCSigOrderSignatures(de_ctx); | |
830 | ||
12386689 PR |
831 | res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); |
832 | ||
833 | cleanup: | |
834 | UTHFreePackets(p, 3); | |
835 | ||
836 | if (de_ctx != NULL) { | |
837 | SigGroupCleanup(de_ctx); | |
838 | SigCleanSignatures(de_ctx); | |
839 | DetectEngineCtxFree(de_ctx); | |
840 | } | |
841 | ||
842 | end: | |
843 | /* Restore default values */ | |
844 | action_order_sigs[0] = ACTION_PASS; | |
845 | action_order_sigs[1] = ACTION_DROP; | |
846 | action_order_sigs[2] = ACTION_REJECT; | |
847 | action_order_sigs[3] = ACTION_ALERT; | |
848 | return res; | |
849 | } | |
850 | ||
851 | /** | |
852 | * \test Check that we handle the "pass" action | |
853 | * correctly at the detection engine with more | |
854 | * prio to drop and alert | |
855 | */ | |
ab1200fb | 856 | static int UtilActionTest14(void) |
12386689 PR |
857 | { |
858 | int res = 1; | |
859 | uint8_t *buf = (uint8_t *)"Hi all!"; | |
860 | uint16_t buflen = strlen((char *)buf); | |
861 | Packet *p[3]; | |
862 | ||
863 | action_order_sigs[0] = ACTION_DROP; | |
864 | action_order_sigs[1] = ACTION_ALERT; | |
865 | action_order_sigs[2] = ACTION_REJECT; | |
866 | action_order_sigs[3] = ACTION_PASS; | |
867 | ||
868 | p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
869 | "192.168.1.5", "192.168.1.1", | |
870 | 41424, 80); | |
871 | p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
872 | "192.168.1.1", "192.168.1.5", | |
873 | 80, 41424); | |
874 | p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
875 | "192.168.1.5", "192.168.1.1", | |
876 | 41424, 80); | |
877 | ||
878 | if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) | |
879 | goto end; | |
880 | ||
ab1200fb | 881 | const char *sigs[3]; |
7433d92d AS |
882 | sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)"; |
883 | sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; | |
884 | sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)"; | |
12386689 PR |
885 | |
886 | uint32_t sid[3] = {1, 2, 3}; | |
887 | ||
888 | uint32_t results[3][3] = { | |
889 | {1, 0, 1}, | |
890 | {1, 0, 1}, | |
891 | {1, 0, 1} }; | |
892 | /* All the patckets should match the 3 sigs. As drop | |
893 | * and alert have more priority than pass, both should | |
894 | * alert on each packet */ | |
895 | ||
896 | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); | |
897 | if (de_ctx == NULL) | |
898 | goto cleanup; | |
899 | de_ctx->flags |= DE_QUIET; | |
900 | ||
901 | if (UTHAppendSigs(de_ctx, sigs, 3) == 0) | |
902 | goto cleanup; | |
903 | ||
904 | SCSigRegisterSignatureOrderingFuncs(de_ctx); | |
905 | SCSigOrderSignatures(de_ctx); | |
906 | ||
12386689 PR |
907 | res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); |
908 | ||
909 | cleanup: | |
910 | UTHFreePackets(p, 3); | |
911 | ||
912 | if (de_ctx != NULL) { | |
913 | SigGroupCleanup(de_ctx); | |
914 | SigCleanSignatures(de_ctx); | |
915 | DetectEngineCtxFree(de_ctx); | |
916 | } | |
917 | ||
918 | end: | |
919 | /* Restore default values */ | |
920 | action_order_sigs[0] = ACTION_PASS; | |
921 | action_order_sigs[1] = ACTION_DROP; | |
922 | action_order_sigs[2] = ACTION_REJECT; | |
923 | action_order_sigs[3] = ACTION_ALERT; | |
924 | return res; | |
925 | } | |
926 | ||
8bcdf29a PR |
927 | /** |
928 | * \test Check mixed sigs (iponly and normal) | |
929 | */ | |
ab1200fb | 930 | static int UtilActionTest15(void) |
8bcdf29a PR |
931 | { |
932 | int res = 1; | |
933 | uint8_t *buf = (uint8_t *)"Hi all!"; | |
934 | uint16_t buflen = strlen((char *)buf); | |
935 | Packet *p[3]; | |
936 | ||
937 | p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
938 | "192.168.1.5", "192.168.1.1", | |
939 | 41424, 80); | |
940 | p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
941 | "192.168.1.1", "192.168.1.5", | |
942 | 80, 41424); | |
943 | p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
944 | "192.168.1.5", "192.168.1.1", | |
945 | 41424, 80); | |
946 | ||
947 | if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) | |
948 | goto end; | |
949 | ||
ab1200fb | 950 | const char *sigs[3]; |
8bcdf29a | 951 | sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; sid:1;)"; |
7433d92d | 952 | sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; |
8bcdf29a PR |
953 | sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; sid:3;)"; |
954 | ||
955 | uint32_t sid[3] = {1, 2, 3}; | |
956 | ||
957 | uint32_t results[3][3] = { | |
958 | {0, 0, 0}, | |
959 | {0, 0, 0}, | |
960 | {0, 0, 0} }; | |
961 | /* All the patckets should match the 3 sigs. As drop | |
962 | * and alert have more priority than pass, both should | |
963 | * alert on each packet */ | |
964 | ||
965 | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); | |
966 | if (de_ctx == NULL) | |
967 | goto cleanup; | |
968 | de_ctx->flags |= DE_QUIET; | |
969 | ||
970 | if (UTHAppendSigs(de_ctx, sigs, 3) == 0) | |
971 | goto cleanup; | |
972 | ||
973 | SCSigRegisterSignatureOrderingFuncs(de_ctx); | |
974 | SCSigOrderSignatures(de_ctx); | |
975 | ||
8bcdf29a PR |
976 | res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); |
977 | ||
978 | cleanup: | |
979 | UTHFreePackets(p, 3); | |
980 | ||
981 | if (de_ctx != NULL) { | |
982 | SigGroupCleanup(de_ctx); | |
983 | SigCleanSignatures(de_ctx); | |
984 | DetectEngineCtxFree(de_ctx); | |
985 | } | |
986 | ||
987 | end: | |
988 | return res; | |
989 | } | |
990 | ||
991 | /** | |
992 | * \test Check mixed sigs (iponly and normal) | |
993 | */ | |
ab1200fb | 994 | static int UtilActionTest16(void) |
8bcdf29a PR |
995 | { |
996 | int res = 1; | |
997 | uint8_t *buf = (uint8_t *)"Hi all!"; | |
998 | uint16_t buflen = strlen((char *)buf); | |
999 | Packet *p[3]; | |
1000 | ||
1001 | p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1002 | "192.168.1.5", "192.168.1.1", | |
1003 | 41424, 80); | |
1004 | p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1005 | "192.168.1.1", "192.168.1.5", | |
1006 | 80, 41424); | |
1007 | p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1008 | "192.168.1.5", "192.168.1.1", | |
1009 | 41424, 80); | |
1010 | ||
1011 | if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) | |
1012 | goto end; | |
1013 | ||
ab1200fb | 1014 | const char *sigs[3]; |
8bcdf29a | 1015 | sigs[0]= "drop tcp any any -> any any (msg:\"sig 1\"; sid:1;)"; |
7433d92d | 1016 | sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; |
8bcdf29a PR |
1017 | sigs[2]= "pass tcp any any -> any any (msg:\"sig 3\"; sid:3;)"; |
1018 | ||
1019 | uint32_t sid[3] = {1, 2, 3}; | |
1020 | ||
1021 | uint32_t results[3][3] = { | |
1022 | {0, 0, 0}, | |
1023 | {0, 0, 0}, | |
1024 | {0, 0, 0} }; | |
1025 | /* All the patckets should match the 3 sigs. As drop | |
1026 | * and alert have more priority than pass, both should | |
1027 | * alert on each packet */ | |
1028 | ||
1029 | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); | |
1030 | if (de_ctx == NULL) | |
1031 | goto cleanup; | |
1032 | de_ctx->flags |= DE_QUIET; | |
1033 | ||
1034 | if (UTHAppendSigs(de_ctx, sigs, 3) == 0) | |
1035 | goto cleanup; | |
1036 | ||
1037 | SCSigRegisterSignatureOrderingFuncs(de_ctx); | |
1038 | SCSigOrderSignatures(de_ctx); | |
1039 | ||
8bcdf29a PR |
1040 | res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); |
1041 | ||
1042 | cleanup: | |
1043 | UTHFreePackets(p, 3); | |
1044 | ||
1045 | if (de_ctx != NULL) { | |
1046 | SigGroupCleanup(de_ctx); | |
1047 | SigCleanSignatures(de_ctx); | |
1048 | DetectEngineCtxFree(de_ctx); | |
1049 | } | |
1050 | ||
1051 | end: | |
1052 | return res; | |
1053 | } | |
1054 | ||
1055 | /** | |
1056 | * \test Check mixed sigs (iponly and normal) | |
1057 | */ | |
ab1200fb | 1058 | static int UtilActionTest17(void) |
8bcdf29a PR |
1059 | { |
1060 | int res = 1; | |
1061 | uint8_t *buf = (uint8_t *)"Hi all!"; | |
1062 | uint16_t buflen = strlen((char *)buf); | |
1063 | Packet *p[3]; | |
1064 | ||
1065 | p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1066 | "192.168.1.5", "192.168.1.1", | |
1067 | 41424, 80); | |
1068 | p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1069 | "192.168.1.1", "192.168.1.5", | |
1070 | 80, 41424); | |
1071 | p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1072 | "192.168.1.5", "192.168.1.1", | |
1073 | 41424, 80); | |
1074 | ||
1075 | if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) | |
1076 | goto end; | |
1077 | ||
ab1200fb | 1078 | const char *sigs[3]; |
8bcdf29a | 1079 | sigs[0]= "pass tcp any any -> any any (msg:\"sig 1\"; sid:1;)"; |
7433d92d | 1080 | sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; |
8bcdf29a PR |
1081 | sigs[2]= "alert tcp any any -> any any (msg:\"sig 3\"; sid:3;)"; |
1082 | ||
1083 | uint32_t sid[3] = {1, 2, 3}; | |
1084 | ||
1085 | uint32_t results[3][3] = { | |
1086 | {0, 0, 0}, | |
1087 | {0, 0, 0}, | |
1088 | {0, 0, 0} }; | |
1089 | /* All the patckets should match the 3 sigs. As drop | |
1090 | * and alert have more priority than pass, both should | |
1091 | * alert on each packet */ | |
1092 | ||
1093 | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); | |
1094 | if (de_ctx == NULL) | |
1095 | goto cleanup; | |
1096 | de_ctx->flags |= DE_QUIET; | |
1097 | ||
1098 | if (UTHAppendSigs(de_ctx, sigs, 3) == 0) | |
1099 | goto cleanup; | |
1100 | ||
1101 | SCSigRegisterSignatureOrderingFuncs(de_ctx); | |
1102 | SCSigOrderSignatures(de_ctx); | |
1103 | ||
8bcdf29a PR |
1104 | res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); |
1105 | ||
1106 | cleanup: | |
1107 | UTHFreePackets(p, 3); | |
1108 | ||
1109 | if (de_ctx != NULL) { | |
1110 | SigGroupCleanup(de_ctx); | |
1111 | SigCleanSignatures(de_ctx); | |
1112 | DetectEngineCtxFree(de_ctx); | |
1113 | } | |
1114 | ||
1115 | end: | |
1116 | return res; | |
1117 | } | |
1118 | ||
1119 | /** | |
1120 | * \test Check mixed sigs (iponly and normal) with more prio for drop | |
1121 | */ | |
ab1200fb | 1122 | static int UtilActionTest18(void) |
8bcdf29a PR |
1123 | { |
1124 | int res = 1; | |
1125 | uint8_t *buf = (uint8_t *)"Hi all!"; | |
1126 | uint16_t buflen = strlen((char *)buf); | |
1127 | Packet *p[3]; | |
1128 | ||
1129 | action_order_sigs[0] = ACTION_DROP; | |
1130 | action_order_sigs[1] = ACTION_PASS; | |
1131 | action_order_sigs[2] = ACTION_REJECT; | |
1132 | action_order_sigs[3] = ACTION_ALERT; | |
1133 | ||
1134 | p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1135 | "192.168.1.5", "192.168.1.1", | |
1136 | 41424, 80); | |
1137 | p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1138 | "192.168.1.1", "192.168.1.5", | |
1139 | 80, 41424); | |
1140 | p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1141 | "192.168.1.5", "192.168.1.1", | |
1142 | 41424, 80); | |
1143 | ||
1144 | if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) | |
1145 | goto end; | |
1146 | ||
ab1200fb | 1147 | const char *sigs[3]; |
8bcdf29a | 1148 | sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; sid:1;)"; |
7433d92d | 1149 | sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; |
8bcdf29a PR |
1150 | sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; sid:3;)"; |
1151 | ||
1152 | uint32_t sid[3] = {1, 2, 3}; | |
1153 | ||
1154 | uint32_t results[3][3] = { | |
1155 | {0, 0, 1}, | |
1156 | {0, 0, 1}, | |
1157 | {0, 0, 1} }; | |
1158 | /* All the patckets should match the 3 sigs. As drop | |
1159 | * and alert have more priority than pass, both should | |
1160 | * alert on each packet */ | |
1161 | ||
1162 | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); | |
1163 | if (de_ctx == NULL) | |
1164 | goto cleanup; | |
1165 | de_ctx->flags |= DE_QUIET; | |
1166 | ||
1167 | if (UTHAppendSigs(de_ctx, sigs, 3) == 0) | |
1168 | goto cleanup; | |
1169 | ||
1170 | SCSigRegisterSignatureOrderingFuncs(de_ctx); | |
1171 | SCSigOrderSignatures(de_ctx); | |
1172 | ||
8bcdf29a PR |
1173 | res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); |
1174 | ||
1175 | cleanup: | |
1176 | UTHFreePackets(p, 3); | |
1177 | ||
1178 | if (de_ctx != NULL) { | |
1179 | SigGroupCleanup(de_ctx); | |
1180 | SigCleanSignatures(de_ctx); | |
1181 | DetectEngineCtxFree(de_ctx); | |
1182 | } | |
1183 | ||
1184 | end: | |
1185 | /* Restore default values */ | |
1186 | action_order_sigs[0] = ACTION_PASS; | |
1187 | action_order_sigs[1] = ACTION_DROP; | |
1188 | action_order_sigs[2] = ACTION_REJECT; | |
1189 | action_order_sigs[3] = ACTION_ALERT; | |
1190 | ||
1191 | return res; | |
1192 | } | |
1193 | ||
1194 | /** | |
1195 | * \test Check mixed sigs (iponly and normal) with more prio for drop | |
1196 | */ | |
ab1200fb | 1197 | static int UtilActionTest19(void) |
8bcdf29a PR |
1198 | { |
1199 | int res = 1; | |
1200 | uint8_t *buf = (uint8_t *)"Hi all!"; | |
1201 | uint16_t buflen = strlen((char *)buf); | |
1202 | Packet *p[3]; | |
1203 | ||
1204 | action_order_sigs[0] = ACTION_DROP; | |
1205 | action_order_sigs[1] = ACTION_PASS; | |
1206 | action_order_sigs[2] = ACTION_REJECT; | |
1207 | action_order_sigs[3] = ACTION_ALERT; | |
1208 | ||
1209 | p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1210 | "192.168.1.5", "192.168.1.1", | |
1211 | 41424, 80); | |
1212 | p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1213 | "192.168.1.1", "192.168.1.5", | |
1214 | 80, 41424); | |
1215 | p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1216 | "192.168.1.5", "192.168.1.1", | |
1217 | 41424, 80); | |
1218 | ||
1219 | if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) | |
1220 | goto end; | |
1221 | ||
ab1200fb | 1222 | const char *sigs[3]; |
8bcdf29a | 1223 | sigs[0]= "drop tcp any any -> any any (msg:\"sig 1\"; sid:1;)"; |
7433d92d | 1224 | sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; |
8bcdf29a PR |
1225 | sigs[2]= "pass tcp any any -> any any (msg:\"sig 3\"; sid:3;)"; |
1226 | ||
1227 | uint32_t sid[3] = {1, 2, 3}; | |
1228 | ||
1229 | uint32_t results[3][3] = { | |
1230 | {1, 0, 0}, | |
1231 | {1, 0, 0}, | |
1232 | {1, 0, 0} }; | |
1233 | /* All the patckets should match the 3 sigs. As drop | |
1234 | * and alert have more priority than pass, both should | |
1235 | * alert on each packet */ | |
1236 | ||
1237 | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); | |
1238 | if (de_ctx == NULL) | |
1239 | goto cleanup; | |
1240 | de_ctx->flags |= DE_QUIET; | |
1241 | ||
1242 | if (UTHAppendSigs(de_ctx, sigs, 3) == 0) | |
1243 | goto cleanup; | |
1244 | ||
1245 | SCSigRegisterSignatureOrderingFuncs(de_ctx); | |
1246 | SCSigOrderSignatures(de_ctx); | |
1247 | ||
8bcdf29a PR |
1248 | res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); |
1249 | ||
1250 | cleanup: | |
1251 | UTHFreePackets(p, 3); | |
1252 | ||
1253 | if (de_ctx != NULL) { | |
1254 | SigGroupCleanup(de_ctx); | |
1255 | SigCleanSignatures(de_ctx); | |
1256 | DetectEngineCtxFree(de_ctx); | |
1257 | } | |
1258 | ||
1259 | end: | |
1260 | /* Restore default values */ | |
1261 | action_order_sigs[0] = ACTION_PASS; | |
1262 | action_order_sigs[1] = ACTION_DROP; | |
1263 | action_order_sigs[2] = ACTION_REJECT; | |
1264 | action_order_sigs[3] = ACTION_ALERT; | |
1265 | ||
1266 | return res; | |
1267 | } | |
1268 | ||
1269 | /** | |
1270 | * \test Check mixed sigs (iponly and normal) with more prio for drop | |
1271 | */ | |
ab1200fb | 1272 | static int UtilActionTest20(void) |
8bcdf29a PR |
1273 | { |
1274 | int res = 1; | |
1275 | uint8_t *buf = (uint8_t *)"Hi all!"; | |
1276 | uint16_t buflen = strlen((char *)buf); | |
1277 | Packet *p[3]; | |
1278 | ||
1279 | action_order_sigs[0] = ACTION_DROP; | |
1280 | action_order_sigs[1] = ACTION_PASS; | |
1281 | action_order_sigs[2] = ACTION_REJECT; | |
1282 | action_order_sigs[3] = ACTION_ALERT; | |
1283 | ||
1284 | p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1285 | "192.168.1.5", "192.168.1.1", | |
1286 | 41424, 80); | |
1287 | p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1288 | "192.168.1.1", "192.168.1.5", | |
1289 | 80, 41424); | |
1290 | p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1291 | "192.168.1.5", "192.168.1.1", | |
1292 | 41424, 80); | |
1293 | ||
1294 | if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) | |
1295 | goto end; | |
1296 | ||
ab1200fb | 1297 | const char *sigs[3]; |
8bcdf29a | 1298 | sigs[0]= "pass tcp any any -> any any (msg:\"sig 1\"; sid:1;)"; |
7433d92d | 1299 | sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; |
8bcdf29a PR |
1300 | sigs[2]= "alert tcp any any -> any any (msg:\"sig 3\"; sid:3;)"; |
1301 | ||
1302 | uint32_t sid[3] = {1, 2, 3}; | |
1303 | ||
1304 | uint32_t results[3][3] = { | |
1305 | {0, 1, 0}, | |
1306 | {0, 1, 0}, | |
1307 | {0, 1, 0} }; | |
1308 | /* All the patckets should match the 3 sigs. As drop | |
1309 | * and alert have more priority than pass, both should | |
1310 | * alert on each packet */ | |
1311 | ||
1312 | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); | |
1313 | if (de_ctx == NULL) | |
1314 | goto cleanup; | |
1315 | de_ctx->flags |= DE_QUIET; | |
1316 | ||
1317 | if (UTHAppendSigs(de_ctx, sigs, 3) == 0) | |
1318 | goto cleanup; | |
1319 | ||
1320 | SCSigRegisterSignatureOrderingFuncs(de_ctx); | |
1321 | SCSigOrderSignatures(de_ctx); | |
1322 | ||
8bcdf29a PR |
1323 | res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); |
1324 | ||
1325 | cleanup: | |
1326 | UTHFreePackets(p, 3); | |
1327 | ||
1328 | if (de_ctx != NULL) { | |
1329 | SigGroupCleanup(de_ctx); | |
1330 | SigCleanSignatures(de_ctx); | |
1331 | DetectEngineCtxFree(de_ctx); | |
1332 | } | |
1333 | ||
1334 | end: | |
1335 | return res; | |
1336 | } | |
1337 | ||
1338 | /** | |
1339 | * \test Check mixed sigs (iponly and normal) with more prio for alert and drop | |
1340 | */ | |
ab1200fb | 1341 | static int UtilActionTest21(void) |
8bcdf29a PR |
1342 | { |
1343 | int res = 1; | |
1344 | uint8_t *buf = (uint8_t *)"Hi all!"; | |
1345 | uint16_t buflen = strlen((char *)buf); | |
1346 | Packet *p[3]; | |
1347 | ||
1348 | action_order_sigs[0] = ACTION_DROP; | |
1349 | action_order_sigs[1] = ACTION_ALERT; | |
1350 | action_order_sigs[2] = ACTION_REJECT; | |
1351 | action_order_sigs[3] = ACTION_PASS; | |
1352 | ||
1353 | p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1354 | "192.168.1.5", "192.168.1.1", | |
1355 | 41424, 80); | |
1356 | p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1357 | "192.168.1.1", "192.168.1.5", | |
1358 | 80, 41424); | |
1359 | p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1360 | "192.168.1.5", "192.168.1.1", | |
1361 | 41424, 80); | |
1362 | ||
1363 | if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) | |
1364 | goto end; | |
1365 | ||
ab1200fb | 1366 | const char *sigs[3]; |
8bcdf29a | 1367 | sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; sid:1;)"; |
7433d92d | 1368 | sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; |
8bcdf29a PR |
1369 | sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; sid:3;)"; |
1370 | ||
1371 | uint32_t sid[3] = {1, 2, 3}; | |
1372 | ||
1373 | uint32_t results[3][3] = { | |
1374 | {1, 0, 1}, | |
1375 | {1, 0, 1}, | |
1376 | {1, 0, 1} }; | |
1377 | /* All the patckets should match the 3 sigs. As drop | |
1378 | * and alert have more priority than pass, both should | |
1379 | * alert on each packet */ | |
1380 | ||
1381 | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); | |
1382 | if (de_ctx == NULL) | |
1383 | goto cleanup; | |
1384 | de_ctx->flags |= DE_QUIET; | |
1385 | ||
1386 | if (UTHAppendSigs(de_ctx, sigs, 3) == 0) | |
1387 | goto cleanup; | |
1388 | ||
1389 | SCSigRegisterSignatureOrderingFuncs(de_ctx); | |
1390 | SCSigOrderSignatures(de_ctx); | |
1391 | ||
8bcdf29a PR |
1392 | res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); |
1393 | ||
1394 | cleanup: | |
1395 | UTHFreePackets(p, 3); | |
1396 | ||
1397 | if (de_ctx != NULL) { | |
1398 | SigGroupCleanup(de_ctx); | |
1399 | SigCleanSignatures(de_ctx); | |
1400 | DetectEngineCtxFree(de_ctx); | |
1401 | } | |
1402 | ||
1403 | end: | |
1404 | /* Restore default values */ | |
1405 | action_order_sigs[0] = ACTION_PASS; | |
1406 | action_order_sigs[1] = ACTION_DROP; | |
1407 | action_order_sigs[2] = ACTION_REJECT; | |
1408 | action_order_sigs[3] = ACTION_ALERT; | |
1409 | ||
1410 | return res; | |
1411 | } | |
1412 | ||
1413 | /** | |
1414 | * \test Check mixed sigs (iponly and normal) with more prio for alert and drop | |
1415 | */ | |
ab1200fb | 1416 | static int UtilActionTest22(void) |
8bcdf29a PR |
1417 | { |
1418 | int res = 1; | |
1419 | uint8_t *buf = (uint8_t *)"Hi all!"; | |
1420 | uint16_t buflen = strlen((char *)buf); | |
1421 | Packet *p[3]; | |
1422 | ||
1423 | action_order_sigs[0] = ACTION_DROP; | |
1424 | action_order_sigs[1] = ACTION_ALERT; | |
1425 | action_order_sigs[2] = ACTION_REJECT; | |
1426 | action_order_sigs[3] = ACTION_PASS; | |
1427 | ||
1428 | p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1429 | "192.168.1.5", "192.168.1.1", | |
1430 | 41424, 80); | |
1431 | p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1432 | "192.168.1.1", "192.168.1.5", | |
1433 | 80, 41424); | |
1434 | p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1435 | "192.168.1.5", "192.168.1.1", | |
1436 | 41424, 80); | |
1437 | ||
1438 | if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) | |
1439 | goto end; | |
1440 | ||
ab1200fb | 1441 | const char *sigs[3]; |
8bcdf29a | 1442 | sigs[0]= "drop tcp any any -> any any (msg:\"sig 1\"; sid:1;)"; |
7433d92d | 1443 | sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; |
8bcdf29a PR |
1444 | sigs[2]= "pass tcp any any -> any any (msg:\"sig 3\"; sid:3;)"; |
1445 | ||
1446 | uint32_t sid[3] = {1, 2, 3}; | |
1447 | ||
1448 | uint32_t results[3][3] = { | |
1449 | {1, 1, 0}, | |
1450 | {1, 1, 0}, | |
1451 | {1, 1, 0} }; | |
1452 | /* All the patckets should match the 3 sigs. As drop | |
1453 | * and alert have more priority than pass, both should | |
1454 | * alert on each packet */ | |
1455 | ||
1456 | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); | |
1457 | if (de_ctx == NULL) | |
1458 | goto cleanup; | |
1459 | de_ctx->flags |= DE_QUIET; | |
1460 | ||
1461 | if (UTHAppendSigs(de_ctx, sigs, 3) == 0) | |
1462 | goto cleanup; | |
1463 | ||
1464 | SCSigRegisterSignatureOrderingFuncs(de_ctx); | |
1465 | SCSigOrderSignatures(de_ctx); | |
1466 | ||
8bcdf29a PR |
1467 | res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); |
1468 | ||
1469 | cleanup: | |
1470 | UTHFreePackets(p, 3); | |
1471 | ||
1472 | if (de_ctx != NULL) { | |
1473 | SigGroupCleanup(de_ctx); | |
1474 | SigCleanSignatures(de_ctx); | |
1475 | DetectEngineCtxFree(de_ctx); | |
1476 | } | |
1477 | ||
1478 | end: | |
1479 | /* Restore default values */ | |
1480 | action_order_sigs[0] = ACTION_PASS; | |
1481 | action_order_sigs[1] = ACTION_DROP; | |
1482 | action_order_sigs[2] = ACTION_REJECT; | |
1483 | action_order_sigs[3] = ACTION_ALERT; | |
1484 | ||
1485 | return res; | |
1486 | } | |
1487 | ||
1488 | /** | |
1489 | * \test Check mixed sigs (iponly and normal) with more prio for alert and drop | |
1490 | */ | |
ab1200fb | 1491 | static int UtilActionTest23(void) |
8bcdf29a PR |
1492 | { |
1493 | int res = 1; | |
1494 | uint8_t *buf = (uint8_t *)"Hi all!"; | |
1495 | uint16_t buflen = strlen((char *)buf); | |
1496 | Packet *p[3]; | |
1497 | ||
1498 | action_order_sigs[0] = ACTION_DROP; | |
1499 | action_order_sigs[1] = ACTION_ALERT; | |
1500 | action_order_sigs[2] = ACTION_REJECT; | |
1501 | action_order_sigs[3] = ACTION_PASS; | |
1502 | ||
1503 | p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1504 | "192.168.1.5", "192.168.1.1", | |
1505 | 41424, 80); | |
1506 | p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1507 | "192.168.1.1", "192.168.1.5", | |
1508 | 80, 41424); | |
1509 | p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, | |
1510 | "192.168.1.5", "192.168.1.1", | |
1511 | 41424, 80); | |
1512 | ||
1513 | if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) | |
1514 | goto end; | |
1515 | ||
ab1200fb | 1516 | const char *sigs[3]; |
8bcdf29a | 1517 | sigs[0]= "pass tcp any any -> any any (msg:\"sig 1\"; sid:1;)"; |
7433d92d | 1518 | sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; |
8bcdf29a PR |
1519 | sigs[2]= "alert tcp any any -> any any (msg:\"sig 3\"; sid:3;)"; |
1520 | ||
1521 | uint32_t sid[3] = {1, 2, 3}; | |
1522 | ||
1523 | uint32_t results[3][3] = { | |
1524 | {0, 1, 1}, | |
1525 | {0, 1, 1}, | |
1526 | {0, 1, 1} }; | |
1527 | /* All the patckets should match the 3 sigs. As drop | |
1528 | * and alert have more priority than pass, both should | |
1529 | * alert on each packet */ | |
1530 | ||
1531 | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); | |
1532 | if (de_ctx == NULL) | |
1533 | goto cleanup; | |
1534 | de_ctx->flags |= DE_QUIET; | |
1535 | ||
1536 | if (UTHAppendSigs(de_ctx, sigs, 3) == 0) | |
1537 | goto cleanup; | |
1538 | ||
1539 | SCSigRegisterSignatureOrderingFuncs(de_ctx); | |
1540 | SCSigOrderSignatures(de_ctx); | |
1541 | ||
8bcdf29a PR |
1542 | res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); |
1543 | ||
1544 | cleanup: | |
1545 | UTHFreePackets(p, 3); | |
1546 | ||
1547 | if (de_ctx != NULL) { | |
1548 | SigGroupCleanup(de_ctx); | |
1549 | SigCleanSignatures(de_ctx); | |
1550 | DetectEngineCtxFree(de_ctx); | |
1551 | } | |
1552 | ||
2e5292e2 JI |
1553 | /* Restore default values */ |
1554 | action_order_sigs[0] = ACTION_PASS; | |
1555 | action_order_sigs[1] = ACTION_DROP; | |
1556 | action_order_sigs[2] = ACTION_REJECT; | |
1557 | action_order_sigs[3] = ACTION_ALERT; | |
1558 | ||
8bcdf29a PR |
1559 | end: |
1560 | return res; | |
1561 | } | |
1562 | ||
2e5292e2 JI |
1563 | /** |
1564 | * \test Check that the expected defaults are loaded if the | |
1565 | * action-order configuration is not present. | |
1566 | */ | |
ab1200fb | 1567 | static int UtilActionTest24(void) |
2e5292e2 JI |
1568 | { |
1569 | int res = 1; | |
1570 | char config[] = "%YAML 1.1\n" | |
1571 | "---\n"; | |
1572 | ||
1573 | ConfCreateContextBackup(); | |
1574 | ConfInit(); | |
1575 | ConfYamlLoadString(config, strlen(config)); | |
1576 | ||
1577 | if (ActionInitConfig() != 0) { | |
1578 | res = 0; | |
1579 | goto done; | |
1580 | } | |
1581 | if (action_order_sigs[0] != ACTION_PASS || | |
1582 | action_order_sigs[1] != ACTION_DROP || | |
1583 | action_order_sigs[2] != ACTION_REJECT || | |
1584 | action_order_sigs[3] != ACTION_ALERT) { | |
1585 | res = 0; | |
1586 | } | |
1587 | ||
1588 | done: | |
1589 | ConfRestoreContextBackup(); | |
1590 | return res; | |
1591 | } | |
1592 | ||
12386689 PR |
1593 | #endif |
1594 | ||
1595 | /* Register unittests */ | |
8f1d7503 KS |
1596 | void UtilActionRegisterTests(void) |
1597 | { | |
12386689 PR |
1598 | #ifdef UNITTESTS |
1599 | /* Generic tests */ | |
796dd522 JI |
1600 | UtRegisterTest("UtilActionTest01", UtilActionTest01); |
1601 | UtRegisterTest("UtilActionTest02", UtilActionTest02); | |
1602 | UtRegisterTest("UtilActionTest02", UtilActionTest02); | |
1603 | UtRegisterTest("UtilActionTest03", UtilActionTest03); | |
1604 | UtRegisterTest("UtilActionTest04", UtilActionTest04); | |
1605 | UtRegisterTest("UtilActionTest05", UtilActionTest05); | |
1606 | UtRegisterTest("UtilActionTest06", UtilActionTest06); | |
1607 | UtRegisterTest("UtilActionTest07", UtilActionTest07); | |
1608 | UtRegisterTest("UtilActionTest08", UtilActionTest08); | |
1609 | UtRegisterTest("UtilActionTest09", UtilActionTest09); | |
1610 | UtRegisterTest("UtilActionTest10", UtilActionTest10); | |
1611 | UtRegisterTest("UtilActionTest11", UtilActionTest11); | |
1612 | UtRegisterTest("UtilActionTest12", UtilActionTest12); | |
1613 | UtRegisterTest("UtilActionTest13", UtilActionTest13); | |
1614 | UtRegisterTest("UtilActionTest14", UtilActionTest14); | |
1615 | UtRegisterTest("UtilActionTest15", UtilActionTest15); | |
1616 | UtRegisterTest("UtilActionTest16", UtilActionTest16); | |
1617 | UtRegisterTest("UtilActionTest17", UtilActionTest17); | |
1618 | UtRegisterTest("UtilActionTest18", UtilActionTest18); | |
1619 | UtRegisterTest("UtilActionTest19", UtilActionTest19); | |
1620 | UtRegisterTest("UtilActionTest20", UtilActionTest20); | |
1621 | UtRegisterTest("UtilActionTest21", UtilActionTest21); | |
1622 | UtRegisterTest("UtilActionTest22", UtilActionTest22); | |
1623 | UtRegisterTest("UtilActionTest23", UtilActionTest23); | |
1624 | UtRegisterTest("UtilActionTest24", UtilActionTest24); | |
12386689 PR |
1625 | #endif |
1626 | } |