From: Juliana Fajardini Date: Mon, 1 Aug 2022 23:04:22 +0000 (-0300) Subject: detect/alert: add unittests to check packet action X-Git-Tag: suricata-6.0.7~50 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2b59f65d02f9133bf2d22c25d86660ed1d08baca;p=thirdparty%2Fsuricata.git detect/alert: add unittests to check packet action Add unittests to check that packet flags are correctly updated after detection finds drop or reject rules that match. Related to Bug #5458 (cherry picked from commit f897761ecbc0e78d45110f35b53820d74fd2e1d3) --- diff --git a/src/Makefile.am b/src/Makefile.am index 1beadab102..b4b9036653 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -584,6 +584,7 @@ EXTRA_DIST = \ tests/app-layer-htp-file.c \ tests/detect-bsize.c \ tests/detect.c \ + tests/detect-engine-alert.c \ tests/detect-engine-content-inspection.c \ tests/detect-file-data.c \ tests/detect-http2.c \ diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c index bff6078aa5..7bff58bc07 100644 --- a/src/detect-engine-alert.c +++ b/src/detect-engine-alert.c @@ -404,6 +404,8 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx if (p->flow != NULL && p->alerts.cnt > 0) { FlowSetHasAlertsFlag(p->flow); } - } +#ifdef UNITTESTS +#include "tests/detect-engine-alert.c" +#endif diff --git a/src/detect-engine-alert.h b/src/detect-engine-alert.h index bf54d90c91..ee940c5869 100644 --- a/src/detect-engine-alert.h +++ b/src/detect-engine-alert.h @@ -36,5 +36,6 @@ void PacketAlertFinalize(DetectEngineCtx *, DetectEngineThreadCtx *, Packet *); int PacketAlertCheck(Packet *, uint32_t); void PacketAlertTagInit(void); PacketAlert *PacketAlertGetTag(void); +void DetectEngineAlertRegisterTests(void); #endif /* __DETECT_ENGINE_ALERT_H__ */ diff --git a/src/runmode-unittests.c b/src/runmode-unittests.c index d4a53e80b7..bb548ff333 100644 --- a/src/runmode-unittests.c +++ b/src/runmode-unittests.c @@ -196,6 +196,7 @@ static void RegisterUnittests(void) DetectAddressTests(); DetectProtoTests(); DetectPortTests(); + DetectEngineAlertRegisterTests(); SCAtomicRegisterTests(); MemrchrRegisterTests(); AppLayerUnittestsRegister(); diff --git a/src/tests/detect-engine-alert.c b/src/tests/detect-engine-alert.c new file mode 100644 index 0000000000..86bc8d4a28 --- /dev/null +++ b/src/tests/detect-engine-alert.c @@ -0,0 +1,77 @@ +/* Copyright (C) 2022 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#include "../suricata-common.h" + +#include "../detect.h" +#include "../detect-engine.h" +#include "../detect-engine-alert.h" +#include "../detect-parse.h" + +#include "../util-unittest.h" +#include "../util-unittest-helper.h" + +/** + * \brief Tests that the reject action is correctly set in Packet->action + */ +static int TestDetectAlertPacketApplySignatureActions01(void) +{ +#ifdef HAVE_LIBNET11 + uint8_t payload[] = "Hi all!"; + uint16_t length = sizeof(payload) - 1; + Packet *p = UTHBuildPacketReal( + (uint8_t *)payload, length, IPPROTO_TCP, "192.168.1.5", "192.168.1.1", 41424, 80); + FAIL_IF_NULL(p); + + const char sig[] = "reject tcp any any -> any 80 (content:\"Hi all\"; sid:1; rev:1;)"; + FAIL_IF(UTHPacketMatchSig(p, sig) == 0); + FAIL_IF_NOT(PacketTestAction(p, ACTION_REJECT_ANY)); + + UTHFreePackets(&p, 1); +#endif /* HAVE_LIBNET11 */ + PASS; +} + +/** + * \brief Tests that the packet has the drop action correctly updated in Packet->action + */ +static int TestDetectAlertPacketApplySignatureActions02(void) +{ + uint8_t payload[] = "Hi all!"; + uint16_t length = sizeof(payload) - 1; + Packet *p = UTHBuildPacketReal( + (uint8_t *)payload, length, IPPROTO_TCP, "192.168.1.5", "192.168.1.1", 41424, 80); + FAIL_IF_NULL(p); + + const char sig[] = "drop tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)"; + FAIL_IF(UTHPacketMatchSig(p, sig) == 0); + FAIL_IF_NOT(PacketTestAction(p, ACTION_DROP)); + + UTHFreePackets(&p, 1); + PASS; +} + +/** + * \brief Registers Detect Engine Alert unit tests + */ +void DetectEngineAlertRegisterTests(void) +{ + UtRegisterTest("TestDetectAlertPacketApplySignatureActions01", + TestDetectAlertPacketApplySignatureActions01); + UtRegisterTest("TestDetectAlertPacketApplySignatureActions02", + TestDetectAlertPacketApplySignatureActions02); +}