]> git.ipfire.org Git - people/ms/suricata.git/blame - src/util-action.c
projects / people / ms / suricata.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
core: Remove unneeded consts
[people/ms/suricata.git] / src / util-action.c
CommitLineData
a2b502a3 1/* Copyright (C) 2007-2013 Open Information Security Foundation
2eef905c
WM		 2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
12386689 18/**
2eef905c
WM		 19 * \file
20 *
12386689
PR		 21 * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
22 */
2eef905c 23
12386689
PR		 24#include "suricata-common.h"
25
26#include "action-globals.h"
27#include "conf.h"
28#include "conf-yaml-loader.h"
29
30#include "detect.h"
31#include "detect-engine.h"
32#include "detect-engine-sigorder.h"
33
34#include "util-unittest.h"
35#include "util-action.h"
36#include "util-unittest-helper.h"
37#include "util-debug.h"
38
39/* Default order: */
40uint8_t action_order_sigs[4] = {ACTION_PASS, ACTION_DROP, ACTION_REJECT, ACTION_ALERT};
41/* This order can be changed from config */
42
43/**
44 * \brief Return the priority associated to an action (to order sigs
45 * as specified at config)
46 * action_order_sigs has this priority by index val
47 * so action_order_sigs[0] has to be inspected first.
48 * This function is called from detect-engine-sigorder
49 * \param action can be one of ACTION_PASS, ACTION_DROP,
50 * ACTION_REJECT or ACTION_ALERT
51 * \retval uint8_t the priority (order of this actions)
52 */
a2b502a3
KS		 53uint8_t ActionOrderVal(uint8_t action)
54{
12386689 55 /* reject_both and reject_dst have the same prio as reject */
8ae11f73
L		 56 if( (action & ACTION_REJECT) ||
57 (action & ACTION_REJECT_BOTH) ||
58 (action & ACTION_REJECT_DST)) {
12386689
PR		 59 action = ACTION_REJECT;
60 }
61 uint8_t i = 0;
62 for (; i < 4; i++) {
63 if (action_order_sigs[i] == action)
64 return i;
65 }
66 /* Unknown action, set just a low prio (high val) */
67 return 10;
68}
69
70/**
71 * \brief Return the ACTION_* bit from their ascii value
72 * \param action can be one of "pass", "drop",
73 * "reject" or "alert"
74 * \retval uint8_t can be one of ACTION_PASS, ACTION_DROP,
75 * ACTION_REJECT or ACTION_ALERT
76 */
ab1200fb 77static uint8_t ActionAsciiToFlag(const char *action)
a2b502a3 78{
12386689
PR		 79 if (strcmp(action,"pass") == 0)
80 return ACTION_PASS;
81 if (strcmp(action,"drop") == 0)
82 return ACTION_DROP;
83 if (strcmp(action,"reject") == 0)
84 return ACTION_REJECT;
85 if (strcmp(action,"alert") == 0)
86 return ACTION_ALERT;
87
88 return 0;
89}
90
91/**
92 * \brief Load the action order from config. If none is provided,
93 * it will be default to ACTION_PASS, ACTION_DROP,
94 * ACTION_REJECT, ACTION_ALERT (pass has the highest prio)
f5af4c9c
AS		 95 *
96 * \retval 0 on success; -1 on fatal error;
12386689 97 */
a2b502a3
KS		 98int ActionInitConfig()
99{
12386689
PR		 100 uint8_t actions_used = 0;
101 uint8_t action_flag = 0;
102 uint8_t actions_config[4] = {0, 0, 0, 0};
103 int order = 0;
104
105 ConfNode *action_order;
106 ConfNode *action = NULL;
107
108 /* Let's load the order of actions from the general config */
109 action_order = ConfGetNode("action-order");
2e5292e2
JI		 110 if (action_order == NULL) {
111 /* No configuration, use defaults. */
112 return 0;
113 }
114 else {
12386689
PR		 115 TAILQ_FOREACH(action, &action_order->head, next) {
116 SCLogDebug("Loading action order : %s", action->val);
117 action_flag = ActionAsciiToFlag(action->val);
118 if (action_flag == 0) {
119 SCLogError(SC_ERR_ACTION_ORDER, "action-order, invalid action: \"%s\". Please, use"
120 " \"pass\",\"drop\",\"alert\",\"reject\". You have"
121 " to specify all of them, without quotes and without"
122 " capital letters", action->val);
f5af4c9c 123 goto error;
12386689
PR		 124 }
125
126 if (actions_used & action_flag) {
127 SCLogError(SC_ERR_ACTION_ORDER, "action-order, action already set: \"%s\". Please,"
128 " use \"pass\",\"drop\",\"alert\",\"reject\". You"
129 " have to specify all of them, without quotes and"
130 " without capital letters", action->val);
f5af4c9c 131 goto error;
12386689
PR		 132 }
133
134 if (order >= 4) {
135 SCLogError(SC_ERR_ACTION_ORDER, "action-order, you have already specified all the "
136 "possible actions plus \"%s\". Please, use \"pass\","
137 "\"drop\",\"alert\",\"reject\". You have to specify"
138 " all of them, without quotes and without capital"
139 " letters", action->val);
f5af4c9c 140 goto error;
12386689
PR		 141 }
142 actions_used |= action_flag;
143 actions_config[order++] = action_flag;
144 }
145 }
146 if (order < 4) {
147 SCLogError(SC_ERR_ACTION_ORDER, "action-order, the config didn't specify all of the "
148 "actions. Please, use \"pass\",\"drop\",\"alert\","
149 "\"reject\". You have to specify all of them, without"
150 " quotes and without capital letters");
f5af4c9c 151 goto error;
12386689
PR		 152 }
153
154 /* Now, it's a valid config. Override the default preset */
155 for (order = 0; order < 4; order++) {
156 action_order_sigs[order] = actions_config[order];
157 }
f5af4c9c
AS		 158
159 return 0;
160
161 error:
162 return -1;
12386689
PR		 163}
164
165#ifdef UNITTESTS
12386689
PR		 166
167/**
168 * \test Check that we invalidate duplicated actions
169 * (It should default to pass, drop, reject, alert)
170 */
ab1200fb 171static int UtilActionTest01(void)
12386689
PR		 172{
173 int res = 1;
174 char config[] = "\
175%YAML 1.1\n\
176---\n\
177action-order:\n\
178 - alert\n\
179 - drop\n\
180 - reject\n\
181 - alert\n";
182
183 ConfCreateContextBackup();
184 ConfInit();
185 ConfYamlLoadString(config, strlen(config));
186
187 ActionInitConfig();
188 if (action_order_sigs[0] != ACTION_PASS ||
189 action_order_sigs[1] != ACTION_DROP ||
190 action_order_sigs[2] != ACTION_REJECT ||
191 action_order_sigs[3] != ACTION_ALERT)
192 {
193 res = 0;
194 }
195 ConfRestoreContextBackup();
196
197 /* Restore default values */
198 action_order_sigs[0] = ACTION_PASS;
199 action_order_sigs[1] = ACTION_DROP;
200 action_order_sigs[2] = ACTION_REJECT;
201 action_order_sigs[3] = ACTION_ALERT;
202 return res;
203}
204
205/**
206 * \test Check that we invalidate with unknown keywords
207 * (It should default to pass, drop, reject, alert)
208 */
ab1200fb 209static int UtilActionTest02(void)
12386689
PR		 210{
211 int res = 1;
212 char config[] = "\
213%YAML 1.1\n\
214---\n\
215action-order:\n\
216 - alert\n\
217 - drop\n\
218 - reject\n\
219 - ftw\n";
220
221 ConfCreateContextBackup();
222 ConfInit();
223 ConfYamlLoadString(config, strlen(config));
224
225 ActionInitConfig();
226 if (action_order_sigs[0] != ACTION_PASS ||
227 action_order_sigs[1] != ACTION_DROP ||
228 action_order_sigs[2] != ACTION_REJECT ||
229 action_order_sigs[3] != ACTION_ALERT)
230 {
231 res = 0;
232 }
233 ConfRestoreContextBackup();
234
235 /* Restore default values */
236 action_order_sigs[0] = ACTION_PASS;
237 action_order_sigs[1] = ACTION_DROP;
238 action_order_sigs[2] = ACTION_REJECT;
239 action_order_sigs[3] = ACTION_ALERT;
240 return res;
241}
242
243/**
244 * \test Check that we invalidate if any action is missing
245 * (It should default to pass, drop, reject, alert)
246 */
ab1200fb 247static int UtilActionTest03(void)
12386689
PR		 248{
249 int res = 1;
250 char config[] = "\
251%YAML 1.1\n\
252---\n\
253action-order:\n\
254 - alert\n\
255 - drop\n\
256 - reject\n";
257
258 ConfCreateContextBackup();
259 ConfInit();
260 ConfYamlLoadString(config, strlen(config));
261
262 ActionInitConfig();
263 if (action_order_sigs[0] != ACTION_PASS ||
264 action_order_sigs[1] != ACTION_DROP ||
265 action_order_sigs[2] != ACTION_REJECT ||
266 action_order_sigs[3] != ACTION_ALERT)
267 {
268 res = 0;
269 }
270 ConfRestoreContextBackup();
271
272 /* Restore default values */
273 action_order_sigs[0] = ACTION_PASS;
274 action_order_sigs[1] = ACTION_DROP;
275 action_order_sigs[2] = ACTION_REJECT;
276 action_order_sigs[3] = ACTION_ALERT;
277 return res;
278}
279
280/**
281 * \test Check that we invalidate if any action is missing
282 * (It should default to pass, drop, reject, alert)
283 */
ab1200fb 284static int UtilActionTest04(void)
12386689
PR		 285{
286 int res = 1;
287 char config[] = "\
288%YAML 1.1\n\
289---\n\
290action-order:\n";
291
292 ConfCreateContextBackup();
293 ConfInit();
294 ConfYamlLoadString(config, strlen(config));
295
296 ActionInitConfig();
297 if (action_order_sigs[0] != ACTION_PASS ||
298 action_order_sigs[1] != ACTION_DROP ||
299 action_order_sigs[2] != ACTION_REJECT ||
300 action_order_sigs[3] != ACTION_ALERT)
301 {
302 res = 0;
303 }
304 ConfRestoreContextBackup();
305
306 /* Restore default values */
307 action_order_sigs[0] = ACTION_PASS;
308 action_order_sigs[1] = ACTION_DROP;
309 action_order_sigs[2] = ACTION_REJECT;
310 action_order_sigs[3] = ACTION_ALERT;
311 return res;
312}
313
314/**
315 * \test Check that we invalidate with unknown keywords
316 * and/or more than the expected
317 * (It should default to pass, drop, reject, alert)
318 */
ab1200fb 319static int UtilActionTest05(void)
12386689
PR		 320{
321 int res = 1;
322 char config[] = "\
323%YAML 1.1\n\
324---\n\
325action-order:\n\
326 - alert\n\
327 - drop\n\
328 - reject\n\
329 - pass\n\
330 - whatever\n";
331
332 ConfCreateContextBackup();
333 ConfInit();
334 ConfYamlLoadString(config, strlen(config));
335
336 ActionInitConfig();
337 if (action_order_sigs[0] != ACTION_PASS ||
338 action_order_sigs[1] != ACTION_DROP ||
339 action_order_sigs[2] != ACTION_REJECT ||
340 action_order_sigs[3] != ACTION_ALERT)
341 {
342 res = 0;
343 }
344 ConfRestoreContextBackup();
345
346 /* Restore default values */
347 action_order_sigs[0] = ACTION_PASS;
348 action_order_sigs[1] = ACTION_DROP;
349 action_order_sigs[2] = ACTION_REJECT;
350 action_order_sigs[3] = ACTION_ALERT;
351 return res;
352}
353
354/**
355 * \test Check that we load a valid config
356 */
ab1200fb 357static int UtilActionTest06(void)
12386689
PR		 358{
359 int res = 1;
360 char config[] = "\
361%YAML 1.1\n\
362---\n\
363action-order:\n\
364 - alert\n\
365 - drop\n\
366 - reject\n\
367 - pass\n";
368
369 ConfCreateContextBackup();
370 ConfInit();
371 ConfYamlLoadString(config, strlen(config));
372
373 ActionInitConfig();
374 if (action_order_sigs[0] != ACTION_ALERT ||
375 action_order_sigs[1] != ACTION_DROP ||
376 action_order_sigs[2] != ACTION_REJECT ||
377 action_order_sigs[3] != ACTION_PASS)
378 {
379 res = 0;
380 }
381 ConfRestoreContextBackup();
382
383 /* Restore default values */
384 action_order_sigs[0] = ACTION_PASS;
385 action_order_sigs[1] = ACTION_DROP;
386 action_order_sigs[2] = ACTION_REJECT;
387 action_order_sigs[3] = ACTION_ALERT;
388 return res;
389}
390
391/**
392 * \test Check that we load a valid config
393 */
ab1200fb 394static int UtilActionTest07(void)
12386689
PR		 395{
396 int res = 1;
397 char config[] = "\
398%YAML 1.1\n\
399---\n\
400action-order:\n\
401 - pass\n\
402 - alert\n\
403 - drop\n\
404 - reject\n";
405
406 ConfCreateContextBackup();
407 ConfInit();
408 ConfYamlLoadString(config, strlen(config));
409
410 ActionInitConfig();
411 if (action_order_sigs[0] != ACTION_PASS ||
412 action_order_sigs[1] != ACTION_ALERT ||
413 action_order_sigs[2] != ACTION_DROP ||
414 action_order_sigs[3] != ACTION_REJECT)
415 {
416 res = 0;
417 }
418 ConfRestoreContextBackup();
419
420 /* Restore default values */
421 action_order_sigs[0] = ACTION_PASS;
422 action_order_sigs[1] = ACTION_DROP;
423 action_order_sigs[2] = ACTION_REJECT;
424 action_order_sigs[3] = ACTION_ALERT;
425 return res;
426}
427
428/**
429 * \test Check that we handle the "pass" action
430 * correctly at the IP Only engine in the default case
431 */
ab1200fb 432static int UtilActionTest08(void)
12386689
PR		 433{
434 int res = 0;
435 uint8_t *buf = (uint8_t *)"Hi all!";
436 uint16_t buflen = strlen((char *)buf);
437 Packet *p[3];
438 p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
439 "192.168.1.5", "192.168.1.1",
440 41424, 80);
441 p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
442 "192.168.1.1", "192.168.1.5",
443 80, 41424);
444 p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
445 "192.168.1.5", "192.168.1.1",
446 41424, 80);
447
448 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
449 goto end;
450
ab1200fb 451 const char *sigs[3];
12386689
PR		 452 sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; sid:1;)";
453 sigs[1]= "pass ip 192.168.1.1 80 -> any any (msg:\"sig 2\"; sid:2;)";
454 sigs[2]= "alert ip any any -> any any (msg:\"sig 3\"; sid:3;)";
455
456 uint32_t sid[3] = {1, 2, 3};
457
458 uint32_t results[3][3] = {
459 {1, 0, 1},
460 {0, 0, 0},
461 {1, 0, 1} };
462 /* This means that with the second packet, the results will be
463 * all ({0,0,0}) since, we should match the "pass" rule first
464 */
465
466 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
467 if (de_ctx == NULL)
468 goto cleanup;
469 de_ctx->flags |= DE_QUIET;
470
471 if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
472 goto cleanup;
473
474 SCSigRegisterSignatureOrderingFuncs(de_ctx);
475 SCSigOrderSignatures(de_ctx);
476
12386689
PR		 477 res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
478
479cleanup:
480 UTHFreePackets(p, 3);
481
482 if (de_ctx != NULL) {
483 SigGroupCleanup(de_ctx);
484 SigCleanSignatures(de_ctx);
485 DetectEngineCtxFree(de_ctx);
486 }
487
488end:
489 return res;
490}
491
492/**
493 * \test Check that we handle the "pass" action
494 * correctly at the IP Only engine with more
495 * prio to drop
496 */
ab1200fb 497static int UtilActionTest09(void)
12386689
PR		 498{
499 int res = 1;
500 uint8_t *buf = (uint8_t *)"Hi all!";
501 uint16_t buflen = strlen((char *)buf);
502 Packet *p[3];
503
504 action_order_sigs[0] = ACTION_DROP;
505 action_order_sigs[1] = ACTION_PASS;
506 action_order_sigs[2] = ACTION_REJECT;
507 action_order_sigs[3] = ACTION_ALERT;
508
509 p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
510 "192.168.1.5", "192.168.1.1",
511 41424, 80);
512 p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
513 "192.168.1.1", "192.168.1.5",
514 80, 41424);
515 p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
516 "192.168.1.5", "192.168.1.1",
517 41424, 80);
518
519 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
520 goto end;
521
ab1200fb 522 const char *sigs[3];
12386689
PR		 523 sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; sid:1;)";
524 sigs[1]= "pass ip 192.168.1.1 80 -> any any (msg:\"sig 2\"; sid:2;)";
525 sigs[2]= "drop ip any any -> any any (msg:\"sig 3\"; sid:3;)";
526
527 uint32_t sid[3] = {1, 2, 3};
528
529 uint32_t results[3][3] = {
530 {1, 0, 1},
531 {0, 0, 1},
532 {1, 0, 1} };
533 /* This means that with the second packet, the results will be
534 * all ({0,0,1}) since, we should match the "drop" rule first.
535 * Later the "pass" rule will avoid the "alert" rule match
536 */
537
538 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
539 if (de_ctx == NULL)
540 goto cleanup;
541 de_ctx->flags |= DE_QUIET;
542
543 if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
544 goto cleanup;
545
546 SCSigRegisterSignatureOrderingFuncs(de_ctx);
547 SCSigOrderSignatures(de_ctx);
548
12386689
PR		 549 res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
550
551cleanup:
552 UTHFreePackets(p, 3);
553
554 if (de_ctx != NULL) {
555 SigGroupCleanup(de_ctx);
556 SigCleanSignatures(de_ctx);
557 DetectEngineCtxFree(de_ctx);
558 }
559
560end:
561 /* Restore default values */
562 action_order_sigs[0] = ACTION_PASS;
563 action_order_sigs[1] = ACTION_DROP;
564 action_order_sigs[2] = ACTION_REJECT;
565 action_order_sigs[3] = ACTION_ALERT;
566 return res;
567}
568
569/**
570 * \test Check that we handle the "pass" action
571 * correctly at the detection engine in the default case
572 */
ab1200fb 573static int UtilActionTest10(void)
12386689
PR		 574{
575 int res = 0;
576 uint8_t *buf = (uint8_t *)"Hi all!";
577 uint16_t buflen = strlen((char *)buf);
578 uint8_t *buf2 = (uint8_t *)"wo!";
579 uint16_t buflen2 = strlen((char *)buf2);
580 Packet *p[3];
581 p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
582 "192.168.1.5", "192.168.1.1",
583 41424, 80);
584 p[1] = UTHBuildPacketReal((uint8_t *)buf2, buflen2, IPPROTO_TCP,
585 "192.168.1.1", "192.168.1.5",
586 80, 41424);
587 p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
588 "192.168.1.5", "192.168.1.1",
589 41424, 80);
590
591 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
592 goto end;
593
ab1200fb 594 const char *sigs[3];
7433d92d
AS		 595 sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)";
596 sigs[1]= "pass ip any any -> any any (msg:\"sig 2\"; content:\"wo\"; sid:2;)";
597 sigs[2]= "alert ip any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)";
12386689
PR		 598
599 uint32_t sid[3] = {1, 2, 3};
600
601 uint32_t results[3][3] = {
602 {1, 0, 1},
603 {0, 0, 0},
604 {1, 0, 1} };
605 /* This means that with the second packet, the results will be
606 * all ({0,0,0}) since, we should match the "pass" rule first
607 */
608
609 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
610 if (de_ctx == NULL)
611 goto cleanup;
612 de_ctx->flags |= DE_QUIET;
613
614 if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
615 goto cleanup;
616
617 SCSigRegisterSignatureOrderingFuncs(de_ctx);
618 SCSigOrderSignatures(de_ctx);
619
12386689
PR		 620 res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
621
622cleanup:
623 UTHFreePackets(p, 3);
624
625 if (de_ctx != NULL) {
626 SigGroupCleanup(de_ctx);
627 SigCleanSignatures(de_ctx);
628 DetectEngineCtxFree(de_ctx);
629 }
630
631end:
632 return res;
633}
634
635/**
636 * \test Check that we handle the "pass" action
637 * correctly at the detection engine with more
638 * prio to drop
639 */
ab1200fb 640static int UtilActionTest11(void)
12386689
PR		 641{
642 int res = 1;
643 uint8_t *buf = (uint8_t *)"Hi all!";
644 uint16_t buflen = strlen((char *)buf);
645 uint8_t *buf2 = (uint8_t *)"Hi all wo!";
646 uint16_t buflen2 = strlen((char *)buf2);
647 Packet *p[3];
648
649 action_order_sigs[0] = ACTION_DROP;
650 action_order_sigs[1] = ACTION_PASS;
651 action_order_sigs[2] = ACTION_REJECT;
652 action_order_sigs[3] = ACTION_ALERT;
653
654 p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
655 "192.168.1.5", "192.168.1.1",
656 41424, 80);
657 p[1] = UTHBuildPacketReal((uint8_t *)buf2, buflen2, IPPROTO_TCP,
658 "192.168.1.1", "192.168.1.5",
659 80, 41424);
660 p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
661 "192.168.1.5", "192.168.1.1",
662 41424, 80);
663
664 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
665 goto end;
666
ab1200fb 667 const char *sigs[3];
7433d92d
AS		 668 sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)";
669 sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"wo\"; sid:2;)";
670 sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)";
12386689
PR		 671
672 uint32_t sid[3] = {1, 2, 3};
673
674 uint32_t results[3][3] = {
675 {1, 0, 1},
676 {0, 0, 1},
677 {1, 0, 1} };
678 /* This means that with the second packet, the results will be
679 * all ({0,0,1}) since, we should match the "drop" rule first.
680 * Later the "pass" rule will avoid the "alert" rule match
681 */
682
683 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
684 if (de_ctx == NULL)
685 goto cleanup;
686 de_ctx->flags |= DE_QUIET;
687
688 if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
689 goto cleanup;
690
691 SCSigRegisterSignatureOrderingFuncs(de_ctx);
692 SCSigOrderSignatures(de_ctx);
693
12386689
PR		 694 res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
695
696cleanup:
697 UTHFreePackets(p, 3);
698
699 if (de_ctx != NULL) {
700 SigGroupCleanup(de_ctx);
701 SigCleanSignatures(de_ctx);
702 DetectEngineCtxFree(de_ctx);
703 }
704
705end:
706 /* Restore default values */
707 action_order_sigs[0] = ACTION_PASS;
708 action_order_sigs[1] = ACTION_DROP;
709 action_order_sigs[2] = ACTION_REJECT;
710 action_order_sigs[3] = ACTION_ALERT;
711 return res;
712}
713
714/**
715 * \test Check that we handle the "pass" action
716 * correctly at the detection engine in the default case
717 */
ab1200fb 718static int UtilActionTest12(void)
12386689
PR		 719{
720 int res = 0;
721 uint8_t *buf = (uint8_t *)"Hi all!";
722 uint16_t buflen = strlen((char *)buf);
723 Packet *p[3];
724 p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
725 "192.168.1.5", "192.168.1.1",
726 41424, 80);
727 p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
728 "192.168.1.1", "192.168.1.5",
729 80, 41424);
730 p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
731 "192.168.1.5", "192.168.1.1",
732 41424, 80);
733
734 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
735 goto end;
736
ab1200fb 737 const char *sigs[3];
12386689
PR		 738 sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; sid:1;)";
739 sigs[1]= "pass ip any any -> any any (msg:\"Testing normal 2\"; sid:2;)";
740 sigs[2]= "alert ip any any -> any any (msg:\"sig 3\"; sid:3;)";
741
742 uint32_t sid[3] = {1, 2, 3};
743
744 uint32_t results[3][3] = {
745 {0, 0, 0},
746 {0, 0, 0},
747 {0, 0, 0} };
748 /* All should match the 3 sigs, but the action pass has prio */
749
750 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
751 if (de_ctx == NULL)
752 goto cleanup;
753 de_ctx->flags |= DE_QUIET;
754
755 if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
756 goto cleanup;
757
758 SCSigRegisterSignatureOrderingFuncs(de_ctx);
759 SCSigOrderSignatures(de_ctx);
760
12386689
PR		 761 res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
762
763cleanup:
764 UTHFreePackets(p, 3);
765
766 if (de_ctx != NULL) {
767 SigGroupCleanup(de_ctx);
768 SigCleanSignatures(de_ctx);
769 DetectEngineCtxFree(de_ctx);
770 }
771
772end:
773 return res;
774}
775
776/**
777 * \test Check that we handle the "pass" action
778 * correctly at the detection engine with more
779 * prio to drop
780 */
ab1200fb 781static int UtilActionTest13(void)
12386689
PR		 782{
783 int res = 1;
784 uint8_t *buf = (uint8_t *)"Hi all!";
785 uint16_t buflen = strlen((char *)buf);
786 Packet *p[3];
787
788 action_order_sigs[0] = ACTION_DROP;
789 action_order_sigs[1] = ACTION_PASS;
790 action_order_sigs[2] = ACTION_REJECT;
791 action_order_sigs[3] = ACTION_ALERT;
792
793 p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
794 "192.168.1.5", "192.168.1.1",
795 41424, 80);
796 p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
797 "192.168.1.1", "192.168.1.5",
798 80, 41424);
799 p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
800 "192.168.1.5", "192.168.1.1",
801 41424, 80);
802
803 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
804 goto end;
805
ab1200fb 806 const char *sigs[3];
7433d92d
AS		 807 sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)";
808 sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
809 sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)";
12386689
PR		 810
811 uint32_t sid[3] = {1, 2, 3};
812
813 uint32_t results[3][3] = {
814 {0, 0, 1},
815 {0, 0, 1},
816 {0, 0, 1} };
817 /* All the patckets should match the 3 sigs. As drop has more
818 * priority than pass, it should alert on each packet */
819
820 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
821 if (de_ctx == NULL)
822 goto cleanup;
823 de_ctx->flags |= DE_QUIET;
824
825 if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
826 goto cleanup;
827
828 SCSigRegisterSignatureOrderingFuncs(de_ctx);
829 SCSigOrderSignatures(de_ctx);
830
12386689
PR		 831 res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
832
833cleanup:
834 UTHFreePackets(p, 3);
835
836 if (de_ctx != NULL) {
837 SigGroupCleanup(de_ctx);
838 SigCleanSignatures(de_ctx);
839 DetectEngineCtxFree(de_ctx);
840 }
841
842end:
843 /* Restore default values */
844 action_order_sigs[0] = ACTION_PASS;
845 action_order_sigs[1] = ACTION_DROP;
846 action_order_sigs[2] = ACTION_REJECT;
847 action_order_sigs[3] = ACTION_ALERT;
848 return res;
849}
850
851/**
852 * \test Check that we handle the "pass" action
853 * correctly at the detection engine with more
854 * prio to drop and alert
855 */
ab1200fb 856static int UtilActionTest14(void)
12386689
PR		 857{
858 int res = 1;
859 uint8_t *buf = (uint8_t *)"Hi all!";
860 uint16_t buflen = strlen((char *)buf);
861 Packet *p[3];
862
863 action_order_sigs[0] = ACTION_DROP;
864 action_order_sigs[1] = ACTION_ALERT;
865 action_order_sigs[2] = ACTION_REJECT;
866 action_order_sigs[3] = ACTION_PASS;
867
868 p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
869 "192.168.1.5", "192.168.1.1",
870 41424, 80);
871 p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
872 "192.168.1.1", "192.168.1.5",
873 80, 41424);
874 p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
875 "192.168.1.5", "192.168.1.1",
876 41424, 80);
877
878 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
879 goto end;
880
ab1200fb 881 const char *sigs[3];
7433d92d
AS		 882 sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)";
883 sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
884 sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)";
12386689
PR		 885
886 uint32_t sid[3] = {1, 2, 3};
887
888 uint32_t results[3][3] = {
889 {1, 0, 1},
890 {1, 0, 1},
891 {1, 0, 1} };
892 /* All the patckets should match the 3 sigs. As drop
893 * and alert have more priority than pass, both should
894 * alert on each packet */
895
896 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
897 if (de_ctx == NULL)
898 goto cleanup;
899 de_ctx->flags |= DE_QUIET;
900
901 if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
902 goto cleanup;
903
904 SCSigRegisterSignatureOrderingFuncs(de_ctx);
905 SCSigOrderSignatures(de_ctx);
906
12386689
PR		 907 res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
908
909cleanup:
910 UTHFreePackets(p, 3);
911
912 if (de_ctx != NULL) {
913 SigGroupCleanup(de_ctx);
914 SigCleanSignatures(de_ctx);
915 DetectEngineCtxFree(de_ctx);
916 }
917
918end:
919 /* Restore default values */
920 action_order_sigs[0] = ACTION_PASS;
921 action_order_sigs[1] = ACTION_DROP;
922 action_order_sigs[2] = ACTION_REJECT;
923 action_order_sigs[3] = ACTION_ALERT;
924 return res;
925}
926
8bcdf29a
PR		 927/**
928 * \test Check mixed sigs (iponly and normal)
929 */
ab1200fb 930static int UtilActionTest15(void)
8bcdf29a
PR		 931{
932 int res = 1;
933 uint8_t *buf = (uint8_t *)"Hi all!";
934 uint16_t buflen = strlen((char *)buf);
935 Packet *p[3];
936
937 p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
938 "192.168.1.5", "192.168.1.1",
939 41424, 80);
940 p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
941 "192.168.1.1", "192.168.1.5",
942 80, 41424);
943 p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
944 "192.168.1.5", "192.168.1.1",
945 41424, 80);
946
947 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
948 goto end;
949
ab1200fb 950 const char *sigs[3];
8bcdf29a 951 sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
7433d92d 952 sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
8bcdf29a
PR		 953 sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
954
955 uint32_t sid[3] = {1, 2, 3};
956
957 uint32_t results[3][3] = {
958 {0, 0, 0},
959 {0, 0, 0},
960 {0, 0, 0} };
961 /* All the patckets should match the 3 sigs. As drop
962 * and alert have more priority than pass, both should
963 * alert on each packet */
964
965 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
966 if (de_ctx == NULL)
967 goto cleanup;
968 de_ctx->flags |= DE_QUIET;
969
970 if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
971 goto cleanup;
972
973 SCSigRegisterSignatureOrderingFuncs(de_ctx);
974 SCSigOrderSignatures(de_ctx);
975
8bcdf29a
PR		 976 res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
977
978cleanup:
979 UTHFreePackets(p, 3);
980
981 if (de_ctx != NULL) {
982 SigGroupCleanup(de_ctx);
983 SigCleanSignatures(de_ctx);
984 DetectEngineCtxFree(de_ctx);
985 }
986
987end:
988 return res;
989}
990
991/**
992 * \test Check mixed sigs (iponly and normal)
993 */
ab1200fb 994static int UtilActionTest16(void)
8bcdf29a
PR		 995{
996 int res = 1;
997 uint8_t *buf = (uint8_t *)"Hi all!";
998 uint16_t buflen = strlen((char *)buf);
999 Packet *p[3];
1000
1001 p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1002 "192.168.1.5", "192.168.1.1",
1003 41424, 80);
1004 p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1005 "192.168.1.1", "192.168.1.5",
1006 80, 41424);
1007 p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1008 "192.168.1.5", "192.168.1.1",
1009 41424, 80);
1010
1011 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
1012 goto end;
1013
ab1200fb 1014 const char *sigs[3];
8bcdf29a 1015 sigs[0]= "drop tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
7433d92d 1016 sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
8bcdf29a
PR		 1017 sigs[2]= "pass tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
1018
1019 uint32_t sid[3] = {1, 2, 3};
1020
1021 uint32_t results[3][3] = {
1022 {0, 0, 0},
1023 {0, 0, 0},
1024 {0, 0, 0} };
1025 /* All the patckets should match the 3 sigs. As drop
1026 * and alert have more priority than pass, both should
1027 * alert on each packet */
1028
1029 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1030 if (de_ctx == NULL)
1031 goto cleanup;
1032 de_ctx->flags |= DE_QUIET;
1033
1034 if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
1035 goto cleanup;
1036
1037 SCSigRegisterSignatureOrderingFuncs(de_ctx);
1038 SCSigOrderSignatures(de_ctx);
1039
8bcdf29a
PR		 1040 res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
1041
1042cleanup:
1043 UTHFreePackets(p, 3);
1044
1045 if (de_ctx != NULL) {
1046 SigGroupCleanup(de_ctx);
1047 SigCleanSignatures(de_ctx);
1048 DetectEngineCtxFree(de_ctx);
1049 }
1050
1051end:
1052 return res;
1053}
1054
1055/**
1056 * \test Check mixed sigs (iponly and normal)
1057 */
ab1200fb 1058static int UtilActionTest17(void)
8bcdf29a
PR		 1059{
1060 int res = 1;
1061 uint8_t *buf = (uint8_t *)"Hi all!";
1062 uint16_t buflen = strlen((char *)buf);
1063 Packet *p[3];
1064
1065 p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1066 "192.168.1.5", "192.168.1.1",
1067 41424, 80);
1068 p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1069 "192.168.1.1", "192.168.1.5",
1070 80, 41424);
1071 p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1072 "192.168.1.5", "192.168.1.1",
1073 41424, 80);
1074
1075 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
1076 goto end;
1077
ab1200fb 1078 const char *sigs[3];
8bcdf29a 1079 sigs[0]= "pass tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
7433d92d 1080 sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
8bcdf29a
PR		 1081 sigs[2]= "alert tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
1082
1083 uint32_t sid[3] = {1, 2, 3};
1084
1085 uint32_t results[3][3] = {
1086 {0, 0, 0},
1087 {0, 0, 0},
1088 {0, 0, 0} };
1089 /* All the patckets should match the 3 sigs. As drop
1090 * and alert have more priority than pass, both should
1091 * alert on each packet */
1092
1093 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1094 if (de_ctx == NULL)
1095 goto cleanup;
1096 de_ctx->flags |= DE_QUIET;
1097
1098 if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
1099 goto cleanup;
1100
1101 SCSigRegisterSignatureOrderingFuncs(de_ctx);
1102 SCSigOrderSignatures(de_ctx);
1103
8bcdf29a
PR		 1104 res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
1105
1106cleanup:
1107 UTHFreePackets(p, 3);
1108
1109 if (de_ctx != NULL) {
1110 SigGroupCleanup(de_ctx);
1111 SigCleanSignatures(de_ctx);
1112 DetectEngineCtxFree(de_ctx);
1113 }
1114
1115end:
1116 return res;
1117}
1118
1119/**
1120 * \test Check mixed sigs (iponly and normal) with more prio for drop
1121 */
ab1200fb 1122static int UtilActionTest18(void)
8bcdf29a
PR		 1123{
1124 int res = 1;
1125 uint8_t *buf = (uint8_t *)"Hi all!";
1126 uint16_t buflen = strlen((char *)buf);
1127 Packet *p[3];
1128
1129 action_order_sigs[0] = ACTION_DROP;
1130 action_order_sigs[1] = ACTION_PASS;
1131 action_order_sigs[2] = ACTION_REJECT;
1132 action_order_sigs[3] = ACTION_ALERT;
1133
1134 p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1135 "192.168.1.5", "192.168.1.1",
1136 41424, 80);
1137 p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1138 "192.168.1.1", "192.168.1.5",
1139 80, 41424);
1140 p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1141 "192.168.1.5", "192.168.1.1",
1142 41424, 80);
1143
1144 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
1145 goto end;
1146
ab1200fb 1147 const char *sigs[3];
8bcdf29a 1148 sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
7433d92d 1149 sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
8bcdf29a
PR		 1150 sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
1151
1152 uint32_t sid[3] = {1, 2, 3};
1153
1154 uint32_t results[3][3] = {
1155 {0, 0, 1},
1156 {0, 0, 1},
1157 {0, 0, 1} };
1158 /* All the patckets should match the 3 sigs. As drop
1159 * and alert have more priority than pass, both should
1160 * alert on each packet */
1161
1162 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1163 if (de_ctx == NULL)
1164 goto cleanup;
1165 de_ctx->flags |= DE_QUIET;
1166
1167 if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
1168 goto cleanup;
1169
1170 SCSigRegisterSignatureOrderingFuncs(de_ctx);
1171 SCSigOrderSignatures(de_ctx);
1172
8bcdf29a
PR		 1173 res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
1174
1175cleanup:
1176 UTHFreePackets(p, 3);
1177
1178 if (de_ctx != NULL) {
1179 SigGroupCleanup(de_ctx);
1180 SigCleanSignatures(de_ctx);
1181 DetectEngineCtxFree(de_ctx);
1182 }
1183
1184end:
1185 /* Restore default values */
1186 action_order_sigs[0] = ACTION_PASS;
1187 action_order_sigs[1] = ACTION_DROP;
1188 action_order_sigs[2] = ACTION_REJECT;
1189 action_order_sigs[3] = ACTION_ALERT;
1190
1191 return res;
1192}
1193
1194/**
1195 * \test Check mixed sigs (iponly and normal) with more prio for drop
1196 */
ab1200fb 1197static int UtilActionTest19(void)
8bcdf29a
PR		 1198{
1199 int res = 1;
1200 uint8_t *buf = (uint8_t *)"Hi all!";
1201 uint16_t buflen = strlen((char *)buf);
1202 Packet *p[3];
1203
1204 action_order_sigs[0] = ACTION_DROP;
1205 action_order_sigs[1] = ACTION_PASS;
1206 action_order_sigs[2] = ACTION_REJECT;
1207 action_order_sigs[3] = ACTION_ALERT;
1208
1209 p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1210 "192.168.1.5", "192.168.1.1",
1211 41424, 80);
1212 p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1213 "192.168.1.1", "192.168.1.5",
1214 80, 41424);
1215 p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1216 "192.168.1.5", "192.168.1.1",
1217 41424, 80);
1218
1219 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
1220 goto end;
1221
ab1200fb 1222 const char *sigs[3];
8bcdf29a 1223 sigs[0]= "drop tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
7433d92d 1224 sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
8bcdf29a
PR		 1225 sigs[2]= "pass tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
1226
1227 uint32_t sid[3] = {1, 2, 3};
1228
1229 uint32_t results[3][3] = {
1230 {1, 0, 0},
1231 {1, 0, 0},
1232 {1, 0, 0} };
1233 /* All the patckets should match the 3 sigs. As drop
1234 * and alert have more priority than pass, both should
1235 * alert on each packet */
1236
1237 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1238 if (de_ctx == NULL)
1239 goto cleanup;
1240 de_ctx->flags |= DE_QUIET;
1241
1242 if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
1243 goto cleanup;
1244
1245 SCSigRegisterSignatureOrderingFuncs(de_ctx);
1246 SCSigOrderSignatures(de_ctx);
1247
8bcdf29a
PR		 1248 res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
1249
1250cleanup:
1251 UTHFreePackets(p, 3);
1252
1253 if (de_ctx != NULL) {
1254 SigGroupCleanup(de_ctx);
1255 SigCleanSignatures(de_ctx);
1256 DetectEngineCtxFree(de_ctx);
1257 }
1258
1259end:
1260 /* Restore default values */
1261 action_order_sigs[0] = ACTION_PASS;
1262 action_order_sigs[1] = ACTION_DROP;
1263 action_order_sigs[2] = ACTION_REJECT;
1264 action_order_sigs[3] = ACTION_ALERT;
1265
1266 return res;
1267}
1268
1269/**
1270 * \test Check mixed sigs (iponly and normal) with more prio for drop
1271 */
ab1200fb 1272static int UtilActionTest20(void)
8bcdf29a
PR		 1273{
1274 int res = 1;
1275 uint8_t *buf = (uint8_t *)"Hi all!";
1276 uint16_t buflen = strlen((char *)buf);
1277 Packet *p[3];
1278
1279 action_order_sigs[0] = ACTION_DROP;
1280 action_order_sigs[1] = ACTION_PASS;
1281 action_order_sigs[2] = ACTION_REJECT;
1282 action_order_sigs[3] = ACTION_ALERT;
1283
1284 p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1285 "192.168.1.5", "192.168.1.1",
1286 41424, 80);
1287 p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1288 "192.168.1.1", "192.168.1.5",
1289 80, 41424);
1290 p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1291 "192.168.1.5", "192.168.1.1",
1292 41424, 80);
1293
1294 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
1295 goto end;
1296
ab1200fb 1297 const char *sigs[3];
8bcdf29a 1298 sigs[0]= "pass tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
7433d92d 1299 sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
8bcdf29a
PR		 1300 sigs[2]= "alert tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
1301
1302 uint32_t sid[3] = {1, 2, 3};
1303
1304 uint32_t results[3][3] = {
1305 {0, 1, 0},
1306 {0, 1, 0},
1307 {0, 1, 0} };
1308 /* All the patckets should match the 3 sigs. As drop
1309 * and alert have more priority than pass, both should
1310 * alert on each packet */
1311
1312 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1313 if (de_ctx == NULL)
1314 goto cleanup;
1315 de_ctx->flags |= DE_QUIET;
1316
1317 if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
1318 goto cleanup;
1319
1320 SCSigRegisterSignatureOrderingFuncs(de_ctx);
1321 SCSigOrderSignatures(de_ctx);
1322
8bcdf29a
PR		 1323 res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
1324
1325cleanup:
1326 UTHFreePackets(p, 3);
1327
1328 if (de_ctx != NULL) {
1329 SigGroupCleanup(de_ctx);
1330 SigCleanSignatures(de_ctx);
1331 DetectEngineCtxFree(de_ctx);
1332 }
1333
1334end:
1335 return res;
1336}
1337
1338/**
1339 * \test Check mixed sigs (iponly and normal) with more prio for alert and drop
1340 */
ab1200fb 1341static int UtilActionTest21(void)
8bcdf29a
PR		 1342{
1343 int res = 1;
1344 uint8_t *buf = (uint8_t *)"Hi all!";
1345 uint16_t buflen = strlen((char *)buf);
1346 Packet *p[3];
1347
1348 action_order_sigs[0] = ACTION_DROP;
1349 action_order_sigs[1] = ACTION_ALERT;
1350 action_order_sigs[2] = ACTION_REJECT;
1351 action_order_sigs[3] = ACTION_PASS;
1352
1353 p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1354 "192.168.1.5", "192.168.1.1",
1355 41424, 80);
1356 p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1357 "192.168.1.1", "192.168.1.5",
1358 80, 41424);
1359 p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1360 "192.168.1.5", "192.168.1.1",
1361 41424, 80);
1362
1363 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
1364 goto end;
1365
ab1200fb 1366 const char *sigs[3];
8bcdf29a 1367 sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
7433d92d 1368 sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
8bcdf29a
PR		 1369 sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
1370
1371 uint32_t sid[3] = {1, 2, 3};
1372
1373 uint32_t results[3][3] = {
1374 {1, 0, 1},
1375 {1, 0, 1},
1376 {1, 0, 1} };
1377 /* All the patckets should match the 3 sigs. As drop
1378 * and alert have more priority than pass, both should
1379 * alert on each packet */
1380
1381 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1382 if (de_ctx == NULL)
1383 goto cleanup;
1384 de_ctx->flags |= DE_QUIET;
1385
1386 if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
1387 goto cleanup;
1388
1389 SCSigRegisterSignatureOrderingFuncs(de_ctx);
1390 SCSigOrderSignatures(de_ctx);
1391
8bcdf29a
PR		 1392 res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
1393
1394cleanup:
1395 UTHFreePackets(p, 3);
1396
1397 if (de_ctx != NULL) {
1398 SigGroupCleanup(de_ctx);
1399 SigCleanSignatures(de_ctx);
1400 DetectEngineCtxFree(de_ctx);
1401 }
1402
1403end:
1404 /* Restore default values */
1405 action_order_sigs[0] = ACTION_PASS;
1406 action_order_sigs[1] = ACTION_DROP;
1407 action_order_sigs[2] = ACTION_REJECT;
1408 action_order_sigs[3] = ACTION_ALERT;
1409
1410 return res;
1411}
1412
1413/**
1414 * \test Check mixed sigs (iponly and normal) with more prio for alert and drop
1415 */
ab1200fb 1416static int UtilActionTest22(void)
8bcdf29a
PR		 1417{
1418 int res = 1;
1419 uint8_t *buf = (uint8_t *)"Hi all!";
1420 uint16_t buflen = strlen((char *)buf);
1421 Packet *p[3];
1422
1423 action_order_sigs[0] = ACTION_DROP;
1424 action_order_sigs[1] = ACTION_ALERT;
1425 action_order_sigs[2] = ACTION_REJECT;
1426 action_order_sigs[3] = ACTION_PASS;
1427
1428 p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1429 "192.168.1.5", "192.168.1.1",
1430 41424, 80);
1431 p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1432 "192.168.1.1", "192.168.1.5",
1433 80, 41424);
1434 p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1435 "192.168.1.5", "192.168.1.1",
1436 41424, 80);
1437
1438 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
1439 goto end;
1440
ab1200fb 1441 const char *sigs[3];
8bcdf29a 1442 sigs[0]= "drop tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
7433d92d 1443 sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
8bcdf29a
PR		 1444 sigs[2]= "pass tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
1445
1446 uint32_t sid[3] = {1, 2, 3};
1447
1448 uint32_t results[3][3] = {
1449 {1, 1, 0},
1450 {1, 1, 0},
1451 {1, 1, 0} };
1452 /* All the patckets should match the 3 sigs. As drop
1453 * and alert have more priority than pass, both should
1454 * alert on each packet */
1455
1456 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1457 if (de_ctx == NULL)
1458 goto cleanup;
1459 de_ctx->flags |= DE_QUIET;
1460
1461 if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
1462 goto cleanup;
1463
1464 SCSigRegisterSignatureOrderingFuncs(de_ctx);
1465 SCSigOrderSignatures(de_ctx);
1466
8bcdf29a
PR		 1467 res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
1468
1469cleanup:
1470 UTHFreePackets(p, 3);
1471
1472 if (de_ctx != NULL) {
1473 SigGroupCleanup(de_ctx);
1474 SigCleanSignatures(de_ctx);
1475 DetectEngineCtxFree(de_ctx);
1476 }
1477
1478end:
1479 /* Restore default values */
1480 action_order_sigs[0] = ACTION_PASS;
1481 action_order_sigs[1] = ACTION_DROP;
1482 action_order_sigs[2] = ACTION_REJECT;
1483 action_order_sigs[3] = ACTION_ALERT;
1484
1485 return res;
1486}
1487
1488/**
1489 * \test Check mixed sigs (iponly and normal) with more prio for alert and drop
1490 */
ab1200fb 1491static int UtilActionTest23(void)
8bcdf29a
PR		 1492{
1493 int res = 1;
1494 uint8_t *buf = (uint8_t *)"Hi all!";
1495 uint16_t buflen = strlen((char *)buf);
1496 Packet *p[3];
1497
1498 action_order_sigs[0] = ACTION_DROP;
1499 action_order_sigs[1] = ACTION_ALERT;
1500 action_order_sigs[2] = ACTION_REJECT;
1501 action_order_sigs[3] = ACTION_PASS;
1502
1503 p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1504 "192.168.1.5", "192.168.1.1",
1505 41424, 80);
1506 p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1507 "192.168.1.1", "192.168.1.5",
1508 80, 41424);
1509 p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1510 "192.168.1.5", "192.168.1.1",
1511 41424, 80);
1512
1513 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
1514 goto end;
1515
ab1200fb 1516 const char *sigs[3];
8bcdf29a 1517 sigs[0]= "pass tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
7433d92d 1518 sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
8bcdf29a
PR		 1519 sigs[2]= "alert tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
1520
1521 uint32_t sid[3] = {1, 2, 3};
1522
1523 uint32_t results[3][3] = {
1524 {0, 1, 1},
1525 {0, 1, 1},
1526 {0, 1, 1} };
1527 /* All the patckets should match the 3 sigs. As drop
1528 * and alert have more priority than pass, both should
1529 * alert on each packet */
1530
1531 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1532 if (de_ctx == NULL)
1533 goto cleanup;
1534 de_ctx->flags |= DE_QUIET;
1535
1536 if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
1537 goto cleanup;
1538
1539 SCSigRegisterSignatureOrderingFuncs(de_ctx);
1540 SCSigOrderSignatures(de_ctx);
1541
8bcdf29a
PR		 1542 res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
1543
1544cleanup:
1545 UTHFreePackets(p, 3);
1546
1547 if (de_ctx != NULL) {
1548 SigGroupCleanup(de_ctx);
1549 SigCleanSignatures(de_ctx);
1550 DetectEngineCtxFree(de_ctx);
1551 }
1552
2e5292e2
JI		 1553 /* Restore default values */
1554 action_order_sigs[0] = ACTION_PASS;
1555 action_order_sigs[1] = ACTION_DROP;
1556 action_order_sigs[2] = ACTION_REJECT;
1557 action_order_sigs[3] = ACTION_ALERT;
1558
8bcdf29a
PR		 1559end:
1560 return res;
1561}
1562
2e5292e2
JI		 1563/**
1564 * \test Check that the expected defaults are loaded if the
1565 * action-order configuration is not present.
1566 */
ab1200fb 1567static int UtilActionTest24(void)
2e5292e2
JI		 1568{
1569 int res = 1;
1570 char config[] = "%YAML 1.1\n"
1571 "---\n";
1572
1573 ConfCreateContextBackup();
1574 ConfInit();
1575 ConfYamlLoadString(config, strlen(config));
1576
1577 if (ActionInitConfig() != 0) {
1578 res = 0;
1579 goto done;
1580 }
1581 if (action_order_sigs[0] != ACTION_PASS ||
1582 action_order_sigs[1] != ACTION_DROP ||
1583 action_order_sigs[2] != ACTION_REJECT ||
1584 action_order_sigs[3] != ACTION_ALERT) {
1585 res = 0;
1586 }
1587
1588done:
1589 ConfRestoreContextBackup();
1590 return res;
1591}
1592
12386689
PR		 1593#endif
1594
1595/* Register unittests */
8f1d7503
KS		 1596void UtilActionRegisterTests(void)
1597{
12386689
PR		 1598#ifdef UNITTESTS
1599 /* Generic tests */
796dd522
JI		 1600 UtRegisterTest("UtilActionTest01", UtilActionTest01);
1601 UtRegisterTest("UtilActionTest02", UtilActionTest02);
1602 UtRegisterTest("UtilActionTest02", UtilActionTest02);
1603 UtRegisterTest("UtilActionTest03", UtilActionTest03);
1604 UtRegisterTest("UtilActionTest04", UtilActionTest04);
1605 UtRegisterTest("UtilActionTest05", UtilActionTest05);
1606 UtRegisterTest("UtilActionTest06", UtilActionTest06);
1607 UtRegisterTest("UtilActionTest07", UtilActionTest07);
1608 UtRegisterTest("UtilActionTest08", UtilActionTest08);
1609 UtRegisterTest("UtilActionTest09", UtilActionTest09);
1610 UtRegisterTest("UtilActionTest10", UtilActionTest10);
1611 UtRegisterTest("UtilActionTest11", UtilActionTest11);
1612 UtRegisterTest("UtilActionTest12", UtilActionTest12);
1613 UtRegisterTest("UtilActionTest13", UtilActionTest13);
1614 UtRegisterTest("UtilActionTest14", UtilActionTest14);
1615 UtRegisterTest("UtilActionTest15", UtilActionTest15);
1616 UtRegisterTest("UtilActionTest16", UtilActionTest16);
1617 UtRegisterTest("UtilActionTest17", UtilActionTest17);
1618 UtRegisterTest("UtilActionTest18", UtilActionTest18);
1619 UtRegisterTest("UtilActionTest19", UtilActionTest19);
1620 UtRegisterTest("UtilActionTest20", UtilActionTest20);
1621 UtRegisterTest("UtilActionTest21", UtilActionTest21);
1622 UtRegisterTest("UtilActionTest22", UtilActionTest22);
1623 UtRegisterTest("UtilActionTest23", UtilActionTest23);
1624 UtRegisterTest("UtilActionTest24", UtilActionTest24);
12386689
PR		 1625#endif
1626}
Michael's tree of suricata