From: Giuseppe Longo Date: Fri, 30 Jan 2015 09:36:55 +0000 (+0100) Subject: UT: implement tests for inspection code X-Git-Tag: suricata-2.1beta4~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1f52410d0fdac1e2eb95256cee40b7e2aeb46d39;p=thirdparty%2Fsuricata.git UT: implement tests for inspection code --- diff --git a/src/detect-engine-filedata-smtp.c b/src/detect-engine-filedata-smtp.c index 7f0ff13e7f..c9eedd4df5 100644 --- a/src/detect-engine-filedata-smtp.c +++ b/src/detect-engine-filedata-smtp.c @@ -47,6 +47,7 @@ #include "app-layer.h" #include "app-layer-smtp.h" #include "app-layer-protos.h" +#include "app-layer-parser.h" #include "conf.h" #include "conf-yaml-loader.h" @@ -246,3 +247,276 @@ int DetectEngineRunSMTPMpm(DetectEngineCtx *de_ctx, end: return cnt; } + +#ifdef UNITTESTS + +static int DetectEngineSMTPFiledataTest01(void) +{ + uint8_t mimemsg[] = {0x4D, 0x49, 0x4D, 0x45, 0x2D, 0x56, 0x65, 0x72, + 0x73, 0x69, 0x6F, 0x6E, 0x3A, 0x20, 0x31, 0x2E, + 0x30, 0x0D, 0x0A, 0x43, 0x6F, 0x6E, 0x74, 0x65, + 0x6E, 0x74, 0x2D, 0x54, 0x79, 0x70, 0x65, 0x3A, + 0x20, 0x74, 0x65, 0x78, 0x74, 0x2F, 0x70, 0x6C, + 0x61, 0x69, 0x6E, 0x3B, 0x20, 0x63, 0x68, 0x61, + 0x72, 0x73, 0x65, 0x74, 0x3D, 0x55, 0x54, 0x46, + 0x2D, 0x38, 0x3B, 0x0D, 0x0A, 0x43, 0x6F, 0x6E, + 0x74, 0x65, 0x6E, 0x74, 0x2D, 0x54, 0x72, 0x61, + 0x6E, 0x73, 0x66, 0x65, 0x72, 0x2D, 0x45, 0x6E, + 0x63, 0x6F, 0x64, 0x69, 0x6E, 0x67, 0x3A, 0x20, + 0x37, 0x62, 0x69, 0x74, 0x0D, 0x0A, 0x43, 0x6F, + 0x6E, 0x74, 0x65, 0x6E, 0x74, 0x2D, 0x44, 0x69, + 0x73, 0x70, 0x6F, 0x73, 0x69, 0x74, 0x69, 0x6F, + 0x6E, 0x3A, 0x20, 0x61, 0x74, 0x74, 0x61, 0x63, + 0x68, 0x6D, 0x65, 0x6E, 0x74, 0x3B, 0x20, 0x66, + 0x69, 0x6C, 0x65, 0x6E, 0x61, 0x6D, 0x65, 0x3D, + 0x22, 0x74, 0x65, 0x73, 0x74, 0x2E, 0x74, 0x78, + 0x74, 0x22, 0x0D, 0x0A, 0x0D, 0x0A, 0x6d, 0x65, + 0x73, 0x73, 0x61, 0x67, 0x65,}; + uint32_t mimemsg_len = sizeof(mimemsg) - 1; + TcpSession ssn; + Packet *p; + ThreadVars th_v; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + SMTPState *smtp_state = NULL; + Flow f; + int result = 0; + + AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); + + memset(&th_v, 0, sizeof(th_v)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.proto = IPPROTO_TCP; + f.flags |= FLOW_IPV4; + f.alstate = SMTPStateAlloc(); + + MimeDecParseState *state = MimeDecInitParser(&f, NULL); + ((MimeDecEntity *)state->stack->top->data)->ctnt_flags = CTNT_IS_ATTACHMENT; + state->body_begin = 1; + + if (SMTPProcessDataChunk((uint8_t *)mimemsg, sizeof(mimemsg), state) != 0) + goto end; + + p->flow = &f; + p->flowflags |= FLOW_PKT_TOSERVER; + p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; + f.alproto = ALPROTO_SMTP; + + StreamTcpInitConfig(TRUE); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, "alert smtp any any -> any any " + "(msg:\"file_data smtp test\"; " + "file_data; content:\"message\"; sid:1;)"); + if (de_ctx->sig_list == NULL) { + goto end; + } + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + SCMutexLock(&f.m); + int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_SMTP, STREAM_TOSERVER, mimemsg, mimemsg_len); + if (r != 0) { + printf("AppLayerParse for smtp failed. Returned %d", r); + SCMutexUnlock(&f.m); + goto end; + } + SCMutexUnlock(&f.m); + + smtp_state = f.alstate; + if (smtp_state == NULL) { + printf("no smtp state: "); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + + if (!(PacketAlertCheck(p, 1))) { + printf("sid 1 didn't match but should have\n"); + goto end; + } + + result = 1; + +end: + if (alp_tctx != NULL) + AppLayerParserThreadCtxFree(alp_tctx); + if (de_ctx != NULL) + SigGroupCleanup(de_ctx); + if (de_ctx != NULL) + SigCleanSignatures(de_ctx); + + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + UTHFreePackets(&p, 1); + return result; +} + +static int DetectEngineSMTPFiledataTest02(void) +{ + Signature *s = NULL; + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + s = DetectEngineAppendSig(de_ctx, "alert smtp any any -> any any " + "(msg:\"file_data smtp test\"; " + "file_data; content:\"message\"; sid:1;)"); + if (s == NULL) + goto end; + + if (s->flags & SIG_FLAG_TOSERVER) + result = 1; + else if (s->flags & SIG_FLAG_TOCLIENT) + printf("s->flags & SIG_FLAG_TOCLIENT"); + +end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; + +} + +static int DetectEngineSMTPFiledataTest03(void) +{ + uint8_t mimemsg1[] = {0x65, 0x76,}; + uint8_t mimemsg2[] = {0x69, 0x6C,}; + uint32_t mimemsg1_len = sizeof(mimemsg1) - 1; + uint32_t mimemsg2_len = sizeof(mimemsg2) - 1; + TcpSession ssn; + Packet *p; + ThreadVars th_v; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + SMTPState *smtp_state = NULL; + Flow f; + int result = 1; + + AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); + + memset(&th_v, 0, sizeof(th_v)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.proto = IPPROTO_TCP; + f.flags |= FLOW_IPV4; + f.alstate = SMTPStateAlloc(); + + MimeDecParseState *state = MimeDecInitParser(&f, NULL); + ((MimeDecEntity *)state->stack->top->data)->ctnt_flags = CTNT_IS_ATTACHMENT; + state->body_begin = 1; + + if (SMTPProcessDataChunk((uint8_t *)mimemsg1, sizeof(mimemsg1), state) != 0) + goto end; + + if (SMTPProcessDataChunk((uint8_t *)mimemsg2, sizeof(mimemsg2), state) != 0) + goto end; + + p->flow = &f; + p->flowflags |= FLOW_PKT_TOSERVER; + p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; + f.alproto = ALPROTO_SMTP; + + StreamTcpInitConfig(TRUE); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, "alert smtp any any -> any any " + "(msg:\"file_data smtp test\"; " + "file_data; content:\"evil\"; sid:1;)"); + if (de_ctx->sig_list == NULL) { + goto end; + } + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + SCMutexLock(&f.m); + int r = 0; + r = AppLayerParserParse(alp_tctx, &f, ALPROTO_SMTP, STREAM_TOSERVER, mimemsg1, mimemsg1_len); + if (r != 0) { + printf("AppLayerParse for smtp failed. Returned %d", r); + SCMutexUnlock(&f.m); + goto end; + } + r = AppLayerParserParse(alp_tctx, &f, ALPROTO_SMTP, STREAM_TOSERVER, mimemsg2, mimemsg2_len); + if (r != 0) { + printf("AppLayerParse for smtp failed. Returned %d", r); + SCMutexUnlock(&f.m); + goto end; + } + SCMutexUnlock(&f.m); + + smtp_state = f.alstate; + if (smtp_state == NULL) { + printf("no smtp state: "); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + + if (PacketAlertCheck(p, 1)) { + printf("sid 1 matched but shouldn't have\n"); + goto end; + } + + result = 0; + +end: + if (alp_tctx != NULL) + AppLayerParserThreadCtxFree(alp_tctx); + if (de_ctx != NULL) + SigGroupCleanup(de_ctx); + if (de_ctx != NULL) + SigCleanSignatures(de_ctx); + + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + UTHFreePackets(&p, 1); + return result; +} + +#endif /* UNITTESTS */ + +void DetectEngineSMTPFiledataRegisterTests(void) +{ + #ifdef UNITTESTS + UtRegisterTest("DetectEngineSMTPFiledataTest01", + DetectEngineSMTPFiledataTest01, 1); + UtRegisterTest("DetectEngineSMTPFiledataTest02", + DetectEngineSMTPFiledataTest02, 1); + UtRegisterTest("DetectEngineSMTPFiledataTest03", + DetectEngineSMTPFiledataTest03, 0); + #endif /* UNITTESTS */ + + return; +} diff --git a/src/detect-engine-filedata-smtp.h b/src/detect-engine-filedata-smtp.h index 666c9e56b4..e04832b77b 100644 --- a/src/detect-engine-filedata-smtp.h +++ b/src/detect-engine-filedata-smtp.h @@ -38,4 +38,6 @@ int DetectEngineRunSMTPMpm(DetectEngineCtx *de_ctx, SMTPState *smtp_state, uint8_t flags, void *tx, uint64_t idx); +void DetectEngineSMTPFiledataRegisterTests(void); + #endif /* __DETECT_ENGINE_FILEDATA_SMTP_H__ */ diff --git a/src/runmode-unittests.c b/src/runmode-unittests.c index e7a8b34d27..378d3c801e 100644 --- a/src/runmode-unittests.c +++ b/src/runmode-unittests.c @@ -51,6 +51,7 @@ #include "detect-engine-state.h" #include "detect-engine-tag.h" #include "detect-engine-modbus.h" +#include "detect-engine-filedata-smtp.h" #include "detect-fast-pattern.h" #include "flow.h" #include "flow-timeout.h" @@ -261,6 +262,7 @@ void RunUnittests(int list_unittests, char *regex_arg) DetectEngineHttpHRHRegisterTests(); DetectEngineInspectModbusRegisterTests(); DetectEngineRegisterTests(); + DetectEngineSMTPFiledataRegisterTests(); SCLogRegisterTests(); MagicRegisterTests(); UtilMiscRegisterTests();