Fixed some unittests that were incorrectly mixing relative and non-relative content modifiers.
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
+ "(msg:\"Testing byte_extract\"; "
"content:\"one\"; "
"byte_extract:4,0,two,string,hex; "
"byte_extract:4,0,three,string,hex; "
"byte_extract:4,0,four,string,hex; "
"byte_extract:4,0,five,string,hex; "
- "content: \"four\"; within:two; distance:three; offset:four; depth:five; "
+ "content: \"four\"; within:two; distance:three; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
cd->flags != (DETECT_CONTENT_DISTANCE_BE |
- DETECT_CONTENT_DEPTH_BE |
- DETECT_CONTENT_OFFSET_BE |
DETECT_CONTENT_WITHIN_BE |
DETECT_CONTENT_DISTANCE |
- DETECT_CONTENT_DEPTH |
- DETECT_CONTENT_OFFSET |
DETECT_CONTENT_WITHIN) ||
cd->within != bed1->local_id ||
- cd->distance != bed2->local_id ||
- cd->offset != bed3->local_id ||
- cd->depth != bed4->local_id) {
+ cd->distance != bed2->local_id) {
printf("four failed\n");
result = 0;
goto end;
"byte_extract:4,0,three,string,hex; "
"byte_extract:4,0,four,string,hex; "
"byte_extract:4,0,five,string,hex; "
- "content: \"four\"; within:two; distance:three; offset:four; depth:five; "
+ "content: \"four\"; within:two; distance:three; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
cd->flags != (DETECT_CONTENT_DISTANCE_BE |
- DETECT_CONTENT_DEPTH_BE |
- DETECT_CONTENT_OFFSET_BE |
DETECT_CONTENT_WITHIN_BE |
DETECT_CONTENT_DISTANCE |
- DETECT_CONTENT_DEPTH |
- DETECT_CONTENT_OFFSET |
DETECT_CONTENT_WITHIN) ||
cd->within != bed1->local_id ||
- cd->distance != bed2->local_id ||
- cd->offset != bed3->local_id ||
- cd->depth != bed4->local_id) {
+ cd->distance != bed2->local_id ) {
printf("four failed\n");
result = 0;
goto end;
"byte_extract:4,0,three,string,hex,relative; "
"byte_extract:4,0,four,string,hex,relative; "
"byte_extract:4,0,five,string,hex,relative; "
- "uricontent: \"four\"; within:two; distance:three; offset:four; depth:five; "
+ "uricontent: \"four\"; within:two; distance:three; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
cd = (DetectContentData *)sm->ctx;
if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
cd->flags != (DETECT_CONTENT_DISTANCE_BE |
- DETECT_CONTENT_DEPTH_BE |
- DETECT_CONTENT_OFFSET_BE |
DETECT_CONTENT_WITHIN_BE |
DETECT_CONTENT_DISTANCE |
- DETECT_CONTENT_DEPTH |
- DETECT_CONTENT_OFFSET |
DETECT_CONTENT_WITHIN) ||
cd->within != bed1->local_id ||
- cd->distance != bed2->local_id ||
- cd->offset != bed3->local_id ||
- cd->depth != bed4->local_id) {
+ cd->distance != bed2->local_id) {
printf("four failed\n");
result = 0;
goto end;
return result;
}
-/**
- * \test Test the working of consecutive relative matches with offset.
- */
-int DcePayloadTest24(void)
-{
- int result = 0;
-
- uint8_t request1[] = {
- 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
- 0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
- 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
- 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, /* " " */
- 0x20, 0x74, 0x68, 0x75, 0x73, 0x20, 0x74, 0x68, /* " thus th" */
- 0x75, 0x73, 0x20, 0x69, 0x73, 0x20, 0x61, 0x20, /* "us is a " */
- 0x62, 0x69, 0x67 }; /* "big" */
- uint32_t request1_len = sizeof(request1);
-
- TcpSession ssn;
- Packet *p = NULL;
- ThreadVars tv;
- DetectEngineCtx *de_ctx = NULL;
- DetectEngineThreadCtx *det_ctx = NULL;
- Flow f;
- int r;
-
- char *sig1 = "alert tcp any any -> any any "
- "(msg:\"testing dce consecutive relative matches\"; dce_stub_data; "
- "content:\"thus\"; distance:0; offset:8; content:\"is\"; within:6; "
- "content:\"big\"; within:8; sid:1;)";
-
- Signature *s;
-
- memset(&tv, 0, sizeof(ThreadVars));
- memset(&f, 0, sizeof(Flow));
- memset(&ssn, 0, sizeof(TcpSession));
-
- p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
-
- FLOW_INITIALIZE(&f);
- f.protoctx = (void *)&ssn;
- f.flags |= FLOW_IPV4;
- f.alproto = ALPROTO_DCERPC;
-
- StreamTcpInitConfig(TRUE);
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx, sig1);
- s = de_ctx->sig_list;
- if (s == NULL)
- goto end;
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
-
- /* request 1 */
- r = AppLayerParse(NULL, &f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
- if (r != 0) {
- printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
- result = 0;
- goto end;
- }
- /* detection phase */
- SigMatchSignatures(&tv, de_ctx, det_ctx, p);
- if (!(PacketAlertCheck(p, 1))) {
- printf("sid 1 didn't match but should have for packet: ");
- goto end;
- }
-
- result = 1;
-
-end:
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
-
- DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
- StreamTcpFreeConfig(TRUE);
-
- UTHFreePackets(&p, 1);
- return result;
-}
-
/**
* \test Test content for dce sig.
*/
UtRegisterTest("DcePayloadTest21", DcePayloadTest21, 1);
UtRegisterTest("DcePayloadTest22", DcePayloadTest22, 1);
UtRegisterTest("DcePayloadTest23", DcePayloadTest23, 1);
- UtRegisterTest("DcePayloadTest24", DcePayloadTest24, 1);
UtRegisterTest("DcePayloadParseTest25", DcePayloadParseTest25, 1);
UtRegisterTest("DcePayloadParseTest26", DcePayloadParseTest26, 1);
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; offset:10; http_client_body; pcre:/two/; "
- "content:\"three\"; distance:10; http_client_body; depth:10; "
+ "content:\"three\"; distance:10; http_client_body; within:10; "
"content:\"four\"; distance:10; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
hcbd1->flags != (DETECT_CONTENT_RELATIVE_NEXT | DETECT_CONTENT_OFFSET) ||
memcmp(hcbd1->content, "one", hcbd1->content_len) != 0 ||
- hcbd2->flags != (DETECT_CONTENT_DISTANCE | DETECT_CONTENT_DEPTH) ||
+ hcbd2->flags != (DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN) ||
memcmp(hcbd2->content, "three", hcbd1->content_len) != 0) {
+ printf ("failed: http_client_body incorrect flags");
goto end;
}
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; offset:10; http_client_body; pcre:/two/; distance:10; "
- "content:\"three\"; distance:10; http_client_body; depth:10; "
+ "content:\"three\"; distance:10; http_client_body; within:10; "
"content:\"four\"; distance:10; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(content:\"one\"; offset:10; http_server_body; pcre:/two/; "
- "content:\"three\"; distance:10; http_server_body; depth:10; "
+ "content:\"three\"; distance:10; http_server_body; within:10; "
"content:\"four\"; distance:10; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("de_ctx->sig_list == NULL\n");
memcmp(cd2->content, "four", cd2->content_len) != 0 ||
hsbd1->flags != (DETECT_CONTENT_RELATIVE_NEXT | DETECT_CONTENT_OFFSET) ||
memcmp(hsbd1->content, "one", hsbd1->content_len) != 0 ||
- hsbd2->flags != (DETECT_CONTENT_DISTANCE | DETECT_CONTENT_DEPTH) ||
+ hsbd2->flags != (DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN) ||
memcmp(hsbd2->content, "three", hsbd1->content_len) != 0) {
goto end;
}
projects / thirdparty / suricata.git / commitdiff
