tests to highlight that

- suricata treates sigs with offset/depth without any packet keywords as stream sigs
- as a consequence suricata will FN on such sigs

The tests introduced here will fail, displaying the issues.  The
next patch in the series would fix the said issues.

diff --git a/src/detect-engine-payload.c b/src/detect-engine-payload.c
index 388f4ada15d5568c0f453634af026842ba6c0555..2745e0c6a6e60156b0e4216d4f078afa0e6236c0 100644 (file)
--- a/src/detect-engine-payload.c
+++ b/src/detect-engine-payload.c
@@ -879,6 +879,58 @@ end:
     return result;
 }
 
+/*
+ * \test Test packet/stream sigs
+ */
+static int PayloadTestSig27(void)
+{
+    uint8_t buf[] = "dummypayload";
+    uint16_t buflen = sizeof(buf) - 1;
+    int result = 0;
+
+    Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
+
+    char sig[] = "alert tcp any any -> any any (content:\"dummy\"; "
+        "depth:5; sid:1;)";
+
+    p->flags |= PKT_STREAM_ADD;
+    if (UTHPacketMatchSigMpm(p, sig, MPM_AC) != 1)
+        goto end;
+
+    result = 1;
+
+end:
+    if (p != NULL)
+        UTHFreePacket(p);
+    return result;
+}
+
+/*
+ * \test Test packet/stream sigs
+ */
+static int PayloadTestSig28(void)
+{
+    uint8_t buf[] = "dummypayload";
+    uint16_t buflen = sizeof(buf) - 1;
+    int result = 0;
+
+    Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
+
+    char sig[] = "alert tcp any any -> any any (content:\"payload\"; "
+        "offset:4; depth:12; sid:1;)";
+
+    p->flags |= PKT_STREAM_ADD;
+    if (UTHPacketMatchSigMpm(p, sig, MPM_AC) != 1)
+        goto end;
+
+    result = 1;
+
+end:
+    if (p != NULL)
+        UTHFreePacket(p);
+    return result;
+}
+
 #endif /* UNITTESTS */
 
 void PayloadRegisterTests(void) {
@@ -910,6 +962,8 @@ void PayloadRegisterTests(void) {
     UtRegisterTest("PayloadTestSig24", PayloadTestSig24, 1);
     UtRegisterTest("PayloadTestSig25", PayloadTestSig25, 1);
     UtRegisterTest("PayloadTestSig26", PayloadTestSig26, 1);
+    UtRegisterTest("PayloadTestSig27", PayloadTestSig27, 1);
+    UtRegisterTest("PayloadTestSig28", PayloadTestSig28, 1);
 #endif /* UNITTESTS */
 
     return;

diff --git a/src/detect-parse.c b/src/detect-parse.c
index 317d0f7a546e73d91c53949220658e67e2e8d00c..d2639d32b9bf918e5ef218005f1407ccf6892d3d 100644 (file)
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -2132,6 +2132,186 @@ end:
     return result;
 }
 
+/**
+ * \test packet/stream sig
+ */
+static int SigParseTest13(void) {
+    int result = 0;
+
+    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+    if (de_ctx == NULL)
+        goto end;
+
+    Signature *s = NULL;
+
+    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"abc\"; sid:1;)");
+    if (s == NULL) {
+        printf("sig 1 invalidated: failure");
+        goto end;
+    }
+
+    if (!(s->flags & SIG_FLAG_REQUIRE_STREAM)) {
+        printf("sig doesn't have stream flag set\n");
+        goto end;
+    }
+
+    if (s->flags & SIG_FLAG_REQUIRE_PACKET) {
+        printf("sig has packet flag set\n");
+        goto end;
+    }
+
+    result = 1;
+
+end:
+    if (de_ctx != NULL)
+        DetectEngineCtxFree(de_ctx);
+    return result;
+}
+
+/**
+ * \test packet/stream sig
+ */
+static int SigParseTest14(void) {
+    int result = 0;
+
+    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+    if (de_ctx == NULL)
+        goto end;
+
+    Signature *s = NULL;
+
+    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"abc\"; dsize:>0; sid:1;)");
+    if (s == NULL) {
+        printf("sig 1 invalidated: failure");
+        goto end;
+    }
+
+    if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) {
+        printf("sig doesn't have packet flag set\n");
+        goto end;
+    }
+
+    if (s->flags & SIG_FLAG_REQUIRE_STREAM) {
+        printf("sig has stream flag set\n");
+        goto end;
+    }
+
+    result = 1;
+
+end:
+    if (de_ctx != NULL)
+        DetectEngineCtxFree(de_ctx);
+    return result;
+}
+
+/**
+ * \test packet/stream sig
+ */
+static int SigParseTest15(void) {
+    int result = 0;
+
+    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+    if (de_ctx == NULL)
+        goto end;
+
+    Signature *s = NULL;
+
+    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"abc\"; offset:5; sid:1;)");
+    if (s == NULL) {
+        printf("sig 1 invalidated: failure");
+        goto end;
+    }
+
+    if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) {
+        printf("sig doesn't have packet flag set\n");
+        goto end;
+    }
+
+    if (!(s->flags & SIG_FLAG_REQUIRE_STREAM)) {
+        printf("sig doesn't have stream flag set\n");
+        goto end;
+    }
+
+    result = 1;
+
+end:
+    if (de_ctx != NULL)
+        DetectEngineCtxFree(de_ctx);
+    return result;
+}
+
+/**
+ * \test packet/stream sig
+ */
+static int SigParseTest16(void) {
+    int result = 0;
+
+    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+    if (de_ctx == NULL)
+        goto end;
+
+    Signature *s = NULL;
+
+    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"abc\"; depth:5; sid:1;)");
+    if (s == NULL) {
+        printf("sig 1 invalidated: failure");
+        goto end;
+    }
+
+    if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) {
+        printf("sig doesn't have packet flag set\n");
+        goto end;
+    }
+
+    if (!(s->flags & SIG_FLAG_REQUIRE_STREAM)) {
+        printf("sig doesn't have stream flag set\n");
+        goto end;
+    }
+
+    result = 1;
+
+end:
+    if (de_ctx != NULL)
+        DetectEngineCtxFree(de_ctx);
+    return result;
+}
+
+/**
+ * \test packet/stream sig
+ */
+static int SigParseTest17(void) {
+    int result = 0;
+
+    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+    if (de_ctx == NULL)
+        goto end;
+
+    Signature *s = NULL;
+
+    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"abc\"; offset:1; depth:5; sid:1;)");
+    if (s == NULL) {
+        printf("sig 1 invalidated: failure");
+        goto end;
+    }
+
+    if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) {
+        printf("sig doesn't have packet flag set\n");
+        goto end;
+    }
+
+    if (!(s->flags & SIG_FLAG_REQUIRE_STREAM)) {
+        printf("sig doesn't have stream flag set\n");
+        goto end;
+    }
+
+    result = 1;
+
+end:
+    if (de_ctx != NULL)
+        DetectEngineCtxFree(de_ctx);
+    return result;
+}
+
 /** \test Direction operator validation (invalid) */
 int SigParseBidirecTest06 (void) {
     int result = 1;
@@ -3006,6 +3186,11 @@ void SigParseRegisterTests(void) {
     UtRegisterTest("SigParseTest10", SigParseTest10, 1);
     UtRegisterTest("SigParseTest11", SigParseTest11, 1);
     UtRegisterTest("SigParseTest12", SigParseTest12, 1);
+    UtRegisterTest("SigParseTest13", SigParseTest13, 1);
+    UtRegisterTest("SigParseTest14", SigParseTest14, 1);
+    UtRegisterTest("SigParseTest15", SigParseTest15, 1);
+    UtRegisterTest("SigParseTest16", SigParseTest16, 1);
+    UtRegisterTest("SigParseTest17", SigParseTest17, 1);
 
     UtRegisterTest("SigParseBidirecTest06", SigParseBidirecTest06, 1);
     UtRegisterTest("SigParseBidirecTest07", SigParseBidirecTest07, 1);