-/* Copyright (C) 2007-2020 Open Information Security Foundation
+/* Copyright (C) 2007-2022 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
PASS;
}
-
-/**
- * \test DetectByteTestTestPacket01 is a test to check matches of
- * byte_test and byte_test relative works if the previous keyword is pcre
- * (bug 142)
- */
-static int DetectByteTestTestPacket01 (void)
-{
- int result = 0;
- uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
- "User-Agent: Wget/1.11.4"
- "Accept: */*"
- "Host: www.google.com"
- "Connection: Keep-Alive"
- "Date: Mon, 04 Jan 2010 17:29:39 GMT";
- uint16_t buflen = strlen((char *)buf);
- Packet *p;
- p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
-
- if (p == NULL)
- goto end;
-
- char sig[] = "alert tcp any any -> any any (msg:\"pcre + byte_test + "
- "relative\"; pcre:\"/AllWorkAndNoPlayMakesWillADullBoy/\"; byte_test:1,=,1"
- ",6,relative,string,dec; sid:126; rev:1;)";
-
- result = UTHPacketMatchSig(p, sig);
-
- UTHFreePacket(p);
-end:
- return result;
-}
-
-/**
- * \test DetectByteTestTestPacket02 is a test to check matches of
- * byte_test and byte_test relative works if the previous keyword is byte_jump
- * (bug 158)
- */
-static int DetectByteTestTestPacket02 (void)
-{
- int result = 0;
- uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
- "User-Agent: Wget/1.11.4"
- "Accept: */*"
- "Host: www.google.com"
- "Connection: Keep-Alive"
- "Date: Mon, 04 Jan 2010 17:29:39 GMT";
- uint16_t buflen = strlen((char *)buf);
- Packet *p;
- p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
-
- if (p == NULL)
- goto end;
-
- char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test + "
- "relative\"; byte_jump:1,44,string,dec; byte_test:1,=,0,0,relative,string,"
- "dec; sid:777; rev:1;)";
-
- result = UTHPacketMatchSig(p, sig);
-
- UTHFreePacket(p);
-end:
- return result;
-}
-
-static int DetectByteTestTestPacket03(void)
-{
- int result = 0;
- uint8_t *buf = NULL;
- uint16_t buflen = 0;
- buf = SCMalloc(4);
- if (unlikely(buf == NULL)) {
- printf("malloc failed\n");
- exit(EXIT_FAILURE);
- }
- memcpy(buf, "boom", 4);
- buflen = 4;
-
- Packet *p;
- p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
-
- if (p == NULL)
- goto end;
-
- char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test\"; "
- "byte_test:1,=,65,214748364; sid:1; rev:1;)";
-
- result = !UTHPacketMatchSig(p, sig);
-
- UTHFreePacket(p);
-
-end:
- SCFree(buf);
- return result;
-}
-
-/** \test Test the byte_test signature matching with operator <= */
-static int DetectByteTestTestPacket04(void)
-{
- int result = 0;
- uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
- "User-Agent: Wget/1.11.4"
- "Accept: */*"
- "Host: www.google.com"
- "Connection: Keep-Alive"
- "Date: Mon, 04 Jan 2010 17:29:39 GMT";
- uint16_t buflen = strlen((char *)buf);
-
- Packet *p;
- p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
-
- if (p == NULL)
- goto end;
-
- char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test +"
- "relative\"; content:\"GET \"; depth:4; content:\"HTTP/1.\"; "
- "byte_test:1,<=,0,0,relative,string,dec; sid:124; rev:1;)";
-
- result = UTHPacketMatchSig(p, sig);
-
- UTHFreePacket(p);
-
-end:
- return result;
-}
-
-/** \test Test the byte_test signature matching with operator >= */
-static int DetectByteTestTestPacket05(void)
-{
- int result = 0;
- uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
- "User-Agent: Wget/1.11.4"
- "Accept: */*"
- "Host: www.google.com"
- "Connection: Keep-Alive"
- "Date: Mon, 04 Jan 2010 17:29:39 GMT";
- uint16_t buflen = strlen((char *)buf);
-
- Packet *p;
- p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
-
- if (p == NULL)
- goto end;
-
- char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test +"
- "relative\"; content:\"GET \"; depth:4; content:\"HTTP/1.\"; "
- "byte_test:1,>=,0,0,relative,string,dec; sid:125; rev:1;)";
-
- result = UTHPacketMatchSig(p, sig);
-
- UTHFreePacket(p);
-
-end:
- return result;
-}
-/** \test simple dns match on first byte */
-static int DetectByteTestTestPacket06(void)
-{
- uint8_t buf[] = { 0x38, 0x35, 0x01, 0x00, 0x00, 0x01,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x001, 0x00, 0x01, 0x00,};
- Flow f;
- Packet *p = NULL;
- Signature *s = NULL;
- ThreadVars tv;
- DetectEngineThreadCtx *det_ctx = NULL;
- AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
-
- FAIL_IF_NULL(alp_tctx);
-
- memset(&tv, 0, sizeof(ThreadVars));
- memset(&f, 0, sizeof(Flow));
-
- p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP,
- "192.168.1.5", "192.168.1.1",
- 41424, 53);
-
- FLOW_INITIALIZE(&f);
- f.flags |= FLOW_IPV4;
- f.proto = IPPROTO_UDP;
- f.protomap = FlowGetProtoMapping(f.proto);
-
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW;
- p->flowflags |= FLOW_PKT_TOSERVER;
- f.alproto = ALPROTO_DNS;
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- FAIL_IF_NULL(de_ctx);
-
- de_ctx->mpm_matcher = mpm_default_matcher;
- de_ctx->flags |= DE_QUIET;
-
- /*
- * Check first byte
- * (0x38 & 0xF8) --> 0x38
- * 0x38 >> 3 --> 0x7
- * 0x7 = 0x07
- */
- /* this rule should alert */
- s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
- "(msg:\"Byte test against first byte\"; "
- "byte_test:1,=,0x07,0,bitmask 0xF8;"
- "sid:1;)");
- FAIL_IF_NULL(s);
-
- /* this rule should not alert */
- s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
- "(msg:\"Test dns_query option\"; "
- "byte_test:1,=,0x07,0,bitmask 0xFF;"
- "sid:2;)");
- FAIL_IF_NULL(s);
-
- /*
- * Check 3rd byte
- * (0x01 & 0xFF) --> 0x01
- * 0x01 >> 0 --> 0x1
- * 0x1 = 0x01
- */
- /* this rule should alert */
- s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
- "(msg:\"Test dns_query option\"; "
- "byte_test:3,=,0x01,0,bitmask 0xFF;"
- "sid:3;)");
- FAIL_IF_NULL(s);
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
- FAIL_IF_NULL(det_ctx);
-
- FAIL_IF_NOT(0 == AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
- STREAM_TOSERVER, buf, sizeof(buf)));
-
- FAIL_IF_NULL(f.alstate);
-
- /* do detect */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
-
- FAIL_IF_NOT(PacketAlertCheck(p, 1));
-
- FAIL_IF(PacketAlertCheck(p, 2));
-
- FAIL_IF_NOT(PacketAlertCheck(p, 3));
-
- AppLayerParserThreadCtxFree(alp_tctx);
- DetectEngineThreadCtxDeinit(&tv, det_ctx);
- SigGroupCleanup(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- FLOW_DESTROY(&f);
- UTHFreePacket(p);
- PASS;
-}
-
/**
* \brief this function registers unit tests for DetectBytetest
*/
UtRegisterTest("DetectBytetestTestParse22", DetectBytetestTestParse22);
UtRegisterTest("DetectBytetestTestParse23", DetectBytetestTestParse23);
UtRegisterTest("DetectBytetestTestParse24", DetectBytetestTestParse24);
-
- UtRegisterTest("DetectByteTestTestPacket01", DetectByteTestTestPacket01);
- UtRegisterTest("DetectByteTestTestPacket02", DetectByteTestTestPacket02);
- UtRegisterTest("DetectByteTestTestPacket03", DetectByteTestTestPacket03);
- UtRegisterTest("DetectByteTestTestPacket04", DetectByteTestTestPacket04);
- UtRegisterTest("DetectByteTestTestPacket05", DetectByteTestTestPacket05);
- UtRegisterTest("DetectByteTestTestPacket06", DetectByteTestTestPacket06);
}
#endif /* UNITTESTS */
projects / thirdparty / suricata.git / commitdiff
