static int DetectL3ProtoSetup(DetectEngineCtx *, Signature *, char *);
+void DetectL3protoRegisterTests(void);
+
void DetectL3ProtoRegister(void)
{
sigmatch_table[DETECT_L3PROTO].name = "l3_proto";
sigmatch_table[DETECT_L3PROTO].Match = NULL;
sigmatch_table[DETECT_L3PROTO].Setup = DetectL3ProtoSetup;
sigmatch_table[DETECT_L3PROTO].Free = NULL;
- sigmatch_table[DETECT_L3PROTO].RegisterTests = NULL;
+ sigmatch_table[DETECT_L3PROTO].RegisterTests = DetectL3protoRegisterTests;
return;
}
SCFree(str);
return -1;
}
+
+#ifdef UNITTESTS
+
+#include "detect-parse.h"
+#include "detect-engine.h"
+#include "detect-engine-mpm.h"
+
+/**
+ * \test DetectL3protoTestSig01 is a test for checking the working of ttl keyword
+ * by setting up the signature and later testing its working by matching
+ * the received packet against the sig.
+ */
+
+static int DetectL3protoTestSig1(void) {
+
+ Packet *p = SCMalloc(SIZE_OF_PACKET);
+ if (p == NULL)
+ return 0;
+ Signature *s = NULL;
+ ThreadVars th_v;
+ DetectEngineThreadCtx *det_ctx;
+ int result = 0;
+ IPV4Hdr ip4h;
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(p, 0, SIZE_OF_PACKET);
+ p->pkt = (uint8_t *)(p + 1);
+
+ p->src.family = AF_INET;
+ p->dst.family = AF_INET;
+ p->proto = IPPROTO_TCP;
+ p->ip4h = &ip4h;
+
+ DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL) {
+ goto end;
+ }
+
+ de_ctx->flags |= DE_QUIET;
+
+ s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv4\"; l3_proto:ipv4; sid:1;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv6\"; l3_proto:ipv6; sid:2;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ip4\"; l3_proto:ip4; sid:3;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ip6\"; l3_proto:ip6; sid:2;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+ if (PacketAlertCheck(p, 1) == 0) {
+ printf("sid 1 did not alert, but should have: ");
+ goto cleanup;
+ } else if (PacketAlertCheck(p, 2)) {
+ printf("sid 2 alerted, but should not have: ");
+ goto cleanup;
+ } else if (PacketAlertCheck(p, 3) == 0) {
+ printf("sid 3 did not alert, but should have: ");
+ goto cleanup;
+ } else if (PacketAlertCheck(p, 4)) {
+ printf("sid 4 alerted, but should not have: ");
+ goto cleanup;
+ }
+
+ result = 1;
+
+cleanup:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+
+ DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+end:
+ SCFree(p);
+ return result;
+}
+
+/**
+ * \test DetectL3protoTestSig02 is a test for checking the working of l3proto keyword
+ * by setting up the signature and later testing its working by matching
+ * the received IPv6 packet against the sig.
+ */
+
+static int DetectL3protoTestSig2(void) {
+
+ Packet *p = SCMalloc(SIZE_OF_PACKET);
+ if (p == NULL)
+ return 0;
+ Signature *s = NULL;
+ ThreadVars th_v;
+ DetectEngineThreadCtx *det_ctx;
+ int result = 0;
+ IPV6Hdr ip6h;
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(p, 0, SIZE_OF_PACKET);
+ p->pkt = (uint8_t *)(p + 1);
+
+ p->src.family = AF_INET6;
+ p->dst.family = AF_INET6;
+ p->proto = IPPROTO_TCP;
+ p->ip6h = &ip6h;
+
+ DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL) {
+ goto end;
+ }
+
+ de_ctx->flags |= DE_QUIET;
+
+ s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv4\"; l3_proto:ipv4; sid:1;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv6\"; l3_proto:ipv6; sid:2;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ip4\"; l3_proto:ip4; sid:3;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ip6\"; l3_proto:ip6; sid:4;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+ if (PacketAlertCheck(p, 1)) {
+ printf("sid 1 alerted, but should not have: ");
+ goto cleanup;
+ } else if (PacketAlertCheck(p, 2) == 0) {
+ printf("sid 2 did not alert, but should have: ");
+ goto cleanup;
+ } else if (PacketAlertCheck(p, 3)) {
+ printf("sid 3 alerted, but should not have: ");
+ goto cleanup;
+ } else if (PacketAlertCheck(p, 4) == 0) {
+ printf("sid 4 did not alert, but should have: ");
+ goto cleanup;
+ }
+
+ result = 1;
+
+cleanup:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+
+ DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+end:
+ SCFree(p);
+ return result;
+}
+
+/**
+ * \test DetectL3protoTestSig03 is a test for checking the working of l3proto keyword
+ * in conjonction with ip_proto keyword.
+ */
+
+static int DetectL3protoTestSig3(void) {
+
+ Packet *p = SCMalloc(SIZE_OF_PACKET);
+ if (p == NULL)
+ return 0;
+ Signature *s = NULL;
+ ThreadVars th_v;
+ DetectEngineThreadCtx *det_ctx;
+ int result = 0;
+ IPV6Hdr ip6h;
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(p, 0, SIZE_OF_PACKET);
+ p->pkt = (uint8_t *)(p + 1);
+
+ p->src.family = AF_INET6;
+ p->dst.family = AF_INET6;
+ p->proto = IPPROTO_TCP;
+ p->ip6h = &ip6h;
+
+ DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL) {
+ goto end;
+ }
+
+ de_ctx->flags |= DE_QUIET;
+
+ s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv4 and ip_proto udp\"; l3_proto:ipv4; ip_proto:17; sid:1;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv6 and ip_proto udp\"; l3_proto:ipv6; ip_proto:17; sid:2;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ip4 and ip_proto tcp\"; l3_proto:ipv4; ip_proto:6; sid:3;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"l3proto ipv6 and ip_proto tcp\"; l3_proto:ipv6; ip_proto:6; sid:4;)");
+ if (s == NULL) {
+ goto end;
+ }
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+ if (PacketAlertCheck(p, 1)) {
+ printf("sid 1 alerted, but should not have: ");
+ goto cleanup;
+ } else if (PacketAlertCheck(p, 2)) {
+ printf("sid 2 alerted, but should not have: ");
+ goto cleanup;
+ } else if (PacketAlertCheck(p, 3)) {
+ printf("sid 3 alerted, but should not have: ");
+ goto cleanup;
+ } else if (PacketAlertCheck(p, 4) == 0) {
+ printf("sid 4 did not alert, but should have: ");
+ goto cleanup;
+ }
+
+ result = 1;
+
+cleanup:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+
+ DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+end:
+ SCFree(p);
+ return result;
+}
+
+
+#endif /* UNITTESTS */
+
+/**
+ * \brief this function registers unit tests for DetectL3proto
+ */
+void DetectL3protoRegisterTests(void) {
+#ifdef UNITTESTS
+ UtRegisterTest("DetectL3protoTestSig1", DetectL3protoTestSig1, 1);
+ UtRegisterTest("DetectL3protoTestSig2", DetectL3protoTestSig2, 1);
+ UtRegisterTest("DetectL3protoTestSig3", DetectL3protoTestSig3, 1);
+#endif /* UNITTESTS */
+}
projects / thirdparty / suricata.git / commitdiff
