From: Modupe Falodun Date: Mon, 21 Feb 2022 15:43:04 +0000 (+0100) Subject: detect-dce-iface: remove unittests X-Git-Tag: suricata-7.0.0-beta1~833 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=44208010dbb56a20ebca05dd68e997f5da22430e;p=thirdparty%2Fsuricata.git detect-dce-iface: remove unittests These tests are reimplemented in Suricata Verify Task: 4911 --- diff --git a/src/detect-dce-iface.c b/src/detect-dce-iface.c index aec537410d..d87fd57b9b 100644 --- a/src/detect-dce-iface.c +++ b/src/detect-dce-iface.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2020 Open Information Security Foundation +/* Copyright (C) 2007-2022 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -193,132 +193,6 @@ static void DetectDceIfaceFree(DetectEngineCtx *de_ctx, void *ptr) #ifdef UNITTESTS -/** - * \test Test a valid dce_iface entry for a bind and bind_ack - */ -static int DetectDceIfaceTestParse1(void) -{ - Signature *s = NULL; - ThreadVars th_v; - Packet *p = NULL; - Flow f; - TcpSession ssn; - DetectEngineThreadCtx *det_ctx = NULL; - DetectEngineCtx *de_ctx = NULL; - DCERPCState *dcerpc_state = NULL; - int r = 0; - - uint8_t dcerpc_bind[] = { - 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, - 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, - 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11, - 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5, - 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, - 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, - 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, - }; - - uint8_t dcerpc_bindack[] = { - 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, - 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00, - 0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, - 0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, - 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, - 0x02, 0x00, 0x00, 0x00 - }; - - uint8_t dcerpc_request[] = { - 0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, - 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, - 0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - }; - - uint32_t dcerpc_bind_len = sizeof(dcerpc_bind); - uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack); - uint32_t dcerpc_request_len = sizeof(dcerpc_request); - - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - p->flow = &f; - p->flowflags |= FLOW_PKT_TOSERVER; - p->flowflags |= FLOW_PKT_ESTABLISHED; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_DCERPC; - - StreamTcpInitConfig(true); - - de_ctx = DetectEngineCtxInit(); - FAIL_IF(de_ctx == NULL); - de_ctx->flags |= DE_QUIET; - - s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any " - "(msg:\"DCERPC\"; " - "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5,=0,any_frag; " - "sid:1;)"); - FAIL_IF(s == NULL); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - SCLogDebug("handling to_server chunk"); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, - STREAM_TOSERVER | STREAM_START, dcerpc_bind, - dcerpc_bind_len); - FAIL_IF(r != 0); - - dcerpc_state = f.alstate; - FAIL_IF(dcerpc_state == NULL); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - FAIL_IF(PacketAlertCheck(p, 1)); - - SCLogDebug("handling to_client chunk"); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, - STREAM_TOCLIENT, dcerpc_bindack, - dcerpc_bindack_len); - FAIL_IF(r != 0); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - FAIL_IF(PacketAlertCheck(p, 1)); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, - STREAM_TOSERVER, dcerpc_request, - dcerpc_request_len); - FAIL_IF(r != 0); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - FAIL_IF(!PacketAlertCheck(p, 1)); - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - DetectEngineCtxFree(de_ctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - UTHFreePackets(&p, 1); - PASS; -} - /* Disabled because of bug_753. Would be enabled, once we rewrite * dce parser */ #if 0 @@ -659,179 +533,12 @@ static int DetectDceIfaceTestParse13(void) #endif -/** - * \test Test a valid dce_iface entry for a bind and bind_ack - */ -static int DetectDceIfaceTestParse2(void) -{ - int result = 0; - Signature *s = NULL; - ThreadVars th_v; - Packet *p = NULL; - Flow f; - TcpSession ssn; - DetectEngineThreadCtx *det_ctx = NULL; - DetectEngineCtx *de_ctx = NULL; - DCERPCState *dcerpc_state = NULL; - int r = 0; - - uint8_t dcerpc_bind[] = { - 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, - 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, - 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11, - 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, 0x2e, 0xf5, - 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, - 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, - 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, - }; - - uint8_t dcerpc_bindack[] = { - 0x05, 0x00, 0x0c, 0x03, 0x10, 0x00, 0x00, 0x00, - 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0xb8, 0x10, 0xb8, 0x10, 0x26, 0x3d, 0x00, 0x00, - 0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, - 0x6c, 0x73, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, - 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, - 0x02, 0x00, 0x00, 0x00 - }; - - uint8_t dcerpc_request[] = { - 0x05, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, - 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, - 0xad, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - }; - - uint32_t dcerpc_bind_len = sizeof(dcerpc_bind); - uint32_t dcerpc_bindack_len = sizeof(dcerpc_bindack); - uint32_t dcerpc_request_len = sizeof(dcerpc_request); - - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&p, 0, sizeof(p)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - p->flow = &f; - p->flowflags |= FLOW_PKT_TOSERVER; - p->flowflags |= FLOW_PKT_ESTABLISHED; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_DCERPC; - - StreamTcpInitConfig(true); - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - - s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any " - "(msg:\"DCERPC\"; " - "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5,=0; " - "sid:1;)"); - if (s == NULL) - goto end; - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - FLOWLOCK_WRLOCK(&f); - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, - STREAM_TOSERVER | STREAM_START, dcerpc_bind, - dcerpc_bind_len); - if (r != 0) { - SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); - FLOWLOCK_UNLOCK(&f); - goto end; - } - FLOWLOCK_UNLOCK(&f); - - dcerpc_state = f.alstate; - if (dcerpc_state == NULL) { - SCLogDebug("no dcerpc state: "); - goto end; - } - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - if (PacketAlertCheck(p, 1)) - goto end; - - FLOWLOCK_WRLOCK(&f); - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, - STREAM_TOCLIENT, dcerpc_bindack, - dcerpc_bindack_len); - if (r != 0) { - SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); - FLOWLOCK_UNLOCK(&f); - goto end; - } - FLOWLOCK_UNLOCK(&f); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - if (PacketAlertCheck(p, 1)) { - SCLogDebug("sig 1 matched but shouldn't have: "); - goto end; - } - - FLOWLOCK_WRLOCK(&f); - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC, - STREAM_TOSERVER, dcerpc_request, - dcerpc_request_len); - if (r != 0) { - SCLogDebug("AppLayerParse for dcerpc failed. Returned %" PRId32, r); - FLOWLOCK_UNLOCK(&f); - goto end; - } - FLOWLOCK_UNLOCK(&f); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - if (!PacketAlertCheck(p, 1)) { - SCLogDebug("sig 1 matched but shouldn't have: "); - goto end; - } - - result = 1; - - end: - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - UTHFreePackets(&p, 1); - return result; -} - static void DetectDceIfaceRegisterTests(void) { - UtRegisterTest("DetectDceIfaceTestParse1", DetectDceIfaceTestParse1); /* Disabled because of bug_753. Would be enabled, once we rewrite * dce parser */ #if 0 UtRegisterTest("DetectDceIfaceTestParse13", DetectDceIfaceTestParse13, 1); #endif - UtRegisterTest("DetectDceIfaceTestParse2", DetectDceIfaceTestParse2); } #endif /* UNITTESTS */