From: Anoop Saldanha Date: Fri, 15 Jun 2012 12:36:13 +0000 (+0530) Subject: tests to highlight that X-Git-Tag: suricata-1.3rc1~55 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a34f91358dab52ae8093459d3aa9f14cd5fd41f2;p=thirdparty%2Fsuricata.git tests to highlight that - suricata treates sigs with offset/depth without any packet keywords as stream sigs - as a consequence suricata will FN on such sigs The tests introduced here will fail, displaying the issues. The next patch in the series would fix the said issues. --- diff --git a/src/detect-engine-payload.c b/src/detect-engine-payload.c index 388f4ada15..2745e0c6a6 100644 --- a/src/detect-engine-payload.c +++ b/src/detect-engine-payload.c @@ -879,6 +879,58 @@ end: return result; } +/* + * \test Test packet/stream sigs + */ +static int PayloadTestSig27(void) +{ + uint8_t buf[] = "dummypayload"; + uint16_t buflen = sizeof(buf) - 1; + int result = 0; + + Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP); + + char sig[] = "alert tcp any any -> any any (content:\"dummy\"; " + "depth:5; sid:1;)"; + + p->flags |= PKT_STREAM_ADD; + if (UTHPacketMatchSigMpm(p, sig, MPM_AC) != 1) + goto end; + + result = 1; + +end: + if (p != NULL) + UTHFreePacket(p); + return result; +} + +/* + * \test Test packet/stream sigs + */ +static int PayloadTestSig28(void) +{ + uint8_t buf[] = "dummypayload"; + uint16_t buflen = sizeof(buf) - 1; + int result = 0; + + Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP); + + char sig[] = "alert tcp any any -> any any (content:\"payload\"; " + "offset:4; depth:12; sid:1;)"; + + p->flags |= PKT_STREAM_ADD; + if (UTHPacketMatchSigMpm(p, sig, MPM_AC) != 1) + goto end; + + result = 1; + +end: + if (p != NULL) + UTHFreePacket(p); + return result; +} + #endif /* UNITTESTS */ void PayloadRegisterTests(void) { @@ -910,6 +962,8 @@ void PayloadRegisterTests(void) { UtRegisterTest("PayloadTestSig24", PayloadTestSig24, 1); UtRegisterTest("PayloadTestSig25", PayloadTestSig25, 1); UtRegisterTest("PayloadTestSig26", PayloadTestSig26, 1); + UtRegisterTest("PayloadTestSig27", PayloadTestSig27, 1); + UtRegisterTest("PayloadTestSig28", PayloadTestSig28, 1); #endif /* UNITTESTS */ return; diff --git a/src/detect-parse.c b/src/detect-parse.c index 317d0f7a54..d2639d32b9 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -2132,6 +2132,186 @@ end: return result; } +/** + * \test packet/stream sig + */ +static int SigParseTest13(void) { + int result = 0; + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + Signature *s = NULL; + + s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"abc\"; sid:1;)"); + if (s == NULL) { + printf("sig 1 invalidated: failure"); + goto end; + } + + if (!(s->flags & SIG_FLAG_REQUIRE_STREAM)) { + printf("sig doesn't have stream flag set\n"); + goto end; + } + + if (s->flags & SIG_FLAG_REQUIRE_PACKET) { + printf("sig has packet flag set\n"); + goto end; + } + + result = 1; + +end: + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + return result; +} + +/** + * \test packet/stream sig + */ +static int SigParseTest14(void) { + int result = 0; + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + Signature *s = NULL; + + s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"abc\"; dsize:>0; sid:1;)"); + if (s == NULL) { + printf("sig 1 invalidated: failure"); + goto end; + } + + if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) { + printf("sig doesn't have packet flag set\n"); + goto end; + } + + if (s->flags & SIG_FLAG_REQUIRE_STREAM) { + printf("sig has stream flag set\n"); + goto end; + } + + result = 1; + +end: + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + return result; +} + +/** + * \test packet/stream sig + */ +static int SigParseTest15(void) { + int result = 0; + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + Signature *s = NULL; + + s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"abc\"; offset:5; sid:1;)"); + if (s == NULL) { + printf("sig 1 invalidated: failure"); + goto end; + } + + if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) { + printf("sig doesn't have packet flag set\n"); + goto end; + } + + if (!(s->flags & SIG_FLAG_REQUIRE_STREAM)) { + printf("sig doesn't have stream flag set\n"); + goto end; + } + + result = 1; + +end: + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + return result; +} + +/** + * \test packet/stream sig + */ +static int SigParseTest16(void) { + int result = 0; + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + Signature *s = NULL; + + s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"abc\"; depth:5; sid:1;)"); + if (s == NULL) { + printf("sig 1 invalidated: failure"); + goto end; + } + + if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) { + printf("sig doesn't have packet flag set\n"); + goto end; + } + + if (!(s->flags & SIG_FLAG_REQUIRE_STREAM)) { + printf("sig doesn't have stream flag set\n"); + goto end; + } + + result = 1; + +end: + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + return result; +} + +/** + * \test packet/stream sig + */ +static int SigParseTest17(void) { + int result = 0; + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + Signature *s = NULL; + + s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"abc\"; offset:1; depth:5; sid:1;)"); + if (s == NULL) { + printf("sig 1 invalidated: failure"); + goto end; + } + + if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) { + printf("sig doesn't have packet flag set\n"); + goto end; + } + + if (!(s->flags & SIG_FLAG_REQUIRE_STREAM)) { + printf("sig doesn't have stream flag set\n"); + goto end; + } + + result = 1; + +end: + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + return result; +} + /** \test Direction operator validation (invalid) */ int SigParseBidirecTest06 (void) { int result = 1; @@ -3006,6 +3186,11 @@ void SigParseRegisterTests(void) { UtRegisterTest("SigParseTest10", SigParseTest10, 1); UtRegisterTest("SigParseTest11", SigParseTest11, 1); UtRegisterTest("SigParseTest12", SigParseTest12, 1); + UtRegisterTest("SigParseTest13", SigParseTest13, 1); + UtRegisterTest("SigParseTest14", SigParseTest14, 1); + UtRegisterTest("SigParseTest15", SigParseTest15, 1); + UtRegisterTest("SigParseTest16", SigParseTest16, 1); + UtRegisterTest("SigParseTest17", SigParseTest17, 1); UtRegisterTest("SigParseBidirecTest06", SigParseBidirecTest06, 1); UtRegisterTest("SigParseBidirecTest07", SigParseBidirecTest07, 1);