From c583c9e205d6b99a766e74530a4a57b4d6df12e9 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Thu, 10 Oct 2013 12:51:07 +0200 Subject: [PATCH] tag: fix session seconds tracking Fix bug #995. Tag time setting was initialized using "usec" field instead of "sec" field. This led to immediate timing out of tag. Added proper matching unittests for all tagging types. Bug #995. --- src/detect-engine-tag.c | 937 ++++++++++++++++++++++++++++++++++++++++ src/detect-engine-tag.h | 2 + src/detect-tag.c | 398 +---------------- 3 files changed, 941 insertions(+), 396 deletions(-) diff --git a/src/detect-engine-tag.c b/src/detect-engine-tag.c index d8b3eb1433..bbae8936f8 100644 --- a/src/detect-engine-tag.c +++ b/src/detect-engine-tag.c @@ -26,6 +26,7 @@ */ #include "suricata-common.h" +#include "detect-engine.h" #include "util-hash.h" #include "util-atomic.h" #include "util-time.h" @@ -36,6 +37,11 @@ #include "host-storage.h" #include "flow-storage.h" +#include "util-unittest.h" +#include "util-unittest-helper.h" +#include "flow-util.h" +#include "stream-tcp-private.h" + SC_ATOMIC_DECLARE(unsigned int, num_tags); /**< Atomic counter, to know if we have tagged hosts/sessions, to avoid locking */ @@ -193,6 +199,7 @@ int TagHashAddTag(DetectTagDataEntry *tde, Packet *p) } /* no host for us */ if (host == NULL) { + SCLogDebug("host tag not added: no host"); return -1; } @@ -203,9 +210,11 @@ int TagHashAddTag(DetectTagDataEntry *tde, Packet *p) if (new_tde != NULL) { HostSetStorageById(host, host_tag_id, new_tde); (void) SC_ATOMIC_ADD(num_tags, 1); + SCLogDebug("host tag added"); } } else { /* Append the tag to the list of this host */ + SCLogDebug("updating existing host"); /* First iterate installed entries searching a duplicated sid/gid */ DetectTagDataEntry *iter = NULL; @@ -277,6 +286,8 @@ static void TagHandlePacketFlow(Flow *f, Packet *p) switch (iter->metric) { case DETECT_TAG_METRIC_PACKET: if (iter->packets > iter->count) { + SCLogDebug("flow tag expired: packets %u > %u", + iter->packets, iter->count); /* tag expired */ if (prev != NULL) { tde = iter; @@ -303,6 +314,8 @@ static void TagHandlePacketFlow(Flow *f, Packet *p) case DETECT_TAG_METRIC_BYTES: if (iter->bytes > iter->count) { /* tag expired */ + SCLogDebug("flow tag expired: bytes %u > %u", + iter->bytes, iter->count); if (prev != NULL) { tde = iter; prev->next = iter->next; @@ -394,6 +407,7 @@ void TagHandlePacketHost(Host *host, Packet *p) switch (iter->metric) { case DETECT_TAG_METRIC_PACKET: if (iter->packets > iter->count) { + SCLogDebug("host tag expired: packets %u > %u", iter->packets, iter->count); /* tag expired */ if (prev != NULL) { tde = iter; @@ -419,6 +433,7 @@ void TagHandlePacketHost(Host *host, Packet *p) break; case DETECT_TAG_METRIC_BYTES: if (iter->bytes > iter->count) { + SCLogDebug("host tag expired: bytes %u > %u", iter->bytes, iter->count); /* tag expired */ if (prev != NULL) { tde = iter; @@ -446,6 +461,9 @@ void TagHandlePacketHost(Host *host, Packet *p) /* last_ts handles this metric, but also a generic time based * expiration to prevent dead sessions/hosts */ if (iter->last_ts - iter->first_ts > iter->count) { + SCLogDebug("host tag expired: %u - %u = %u > %u", + iter->last_ts, iter->first_ts, + (iter->last_ts - iter->first_ts), iter->count); /* tag expired */ if (prev != NULL) { tde = iter; @@ -572,3 +590,922 @@ int TagTimeoutCheck(Host *host, struct timeval *tv) return retval; } +#ifdef UNITTESTS + +/** + * \test host tagging: packets + */ +int DetectTagTestPacket01 (void) { + int result = 0; + uint8_t *buf = (uint8_t *)"Hi all!"; + uint8_t *buf2 = (uint8_t *)"lalala!"; + uint16_t buf_len = strlen((char *)buf); + uint16_t buf_len2 = strlen((char *)buf2); + + Packet *p[7]; + p[0] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[1] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[2] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.9", + 41424, 80); + p[3] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.9", + 41424, 80); + p[4] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.1", "192.168.1.9", + 41424, 80); + p[5] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.1", "192.168.1.11", + 41424, 80); + p[6] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.11", + 41424, 80); + + char *sigs[5]; + sigs[0]= "alert tcp any any -> any any (msg:\"Testing tag 1\"; content:\"Hi all\"; tag:host,3,packets,src; sid:1;)"; + sigs[1]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"Hi all\"; tag:host,4,packets,dst; sid:2;)"; + sigs[2]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:3;)"; + sigs[3]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:4;)"; + sigs[4]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:5;)"; + + /* Please, Notice that tagged data goes with sig_id = 1 and tag sig generator = 2 */ + uint32_t sid[5] = {1,2,3,4,5}; + + int32_t results[7][5] = { + {1, 1, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0} + }; + StorageInit(); + TagInitCtx(); + StorageFinalize(); + HostInitConfig(1); + + SCLogDebug("running tests"); + result = UTHGenericTest(p, 7, sigs, sid, (uint32_t *) results, 5); + SCLogDebug("running tests done"); + + Host *src = HostLookupHostFromHash(&p[1]->src); + if (src) { + void *tag = HostGetStorageById(src, host_tag_id); + if (tag != NULL) { + printf("tag should have been expired: "); + result = 0; + } + + HostRelease(src); + } + Host *dst = HostLookupHostFromHash(&p[1]->dst); + if (dst) { + void *tag = HostGetStorageById(dst, host_tag_id); + BUG_ON(tag == NULL); + + DetectTagDataEntry *iter = tag; + + /* check internal state */ + if (!(iter->gid == 1 && iter->sid == 2 && iter->packets == 4 && iter->count == 4)) { + printf("gid %u sid %u packets %u count %u: ", iter->gid, iter->sid, iter->packets, iter->count); + result = 0; + } + + HostRelease(dst); + } + BUG_ON(src == NULL || dst == NULL); + + UTHFreePackets(p, 7); + + HostShutdown(); + TagDestroyCtx(); + StorageCleanup(); + return result; +} + +/** + * \test host tagging: seconds + */ +int DetectTagTestPacket02 (void) { + int result = 0; + uint8_t *buf = (uint8_t *)"Hi all!"; + uint8_t *buf2 = (uint8_t *)"lalala!"; + uint16_t buf_len = strlen((char *)buf); + uint16_t buf_len2 = strlen((char *)buf2); + + DecodeThreadVars dtv; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + memset(&dtv, 0, sizeof(DecodeThreadVars)); + memset(&th_v, 0, sizeof(th_v)); + + StorageInit(); + TagInitCtx(); + StorageFinalize(); + HostInitConfig(1); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + de_ctx->flags |= DE_QUIET; + + Packet *p[7]; + p[0] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[1] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[2] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.9", + 41424, 80); + p[3] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.9", + 41424, 80); + p[4] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.1", "192.168.1.9", + 41424, 80); + p[5] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.1", "192.168.1.11", + 41424, 80); + p[6] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.11", + 41424, 80); + + char *sigs[5]; + sigs[0]= "alert tcp any any -> any any (msg:\"Testing tag 1\"; content:\"Hi all\"; tag:host,3,seconds,src; sid:1;)"; + sigs[1]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"Hi all\"; tag:host,8,seconds,dst; sid:2;)"; + sigs[2]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:3;)"; + sigs[3]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:4;)"; + sigs[4]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:5;)"; + + /* Please, Notice that tagged data goes with sig_id = 1 and tag sig generator = 2 */ + uint32_t sid[5] = {1,2,3,4,5}; + int numsigs = 5; + + if (UTHAppendSigs(de_ctx, sigs, numsigs) == 0) + goto cleanup; + + //de_ctx->flags |= DE_QUIET; + + int32_t results[7][5] = { + {1, 1, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0} + }; + + int num_packets = 7; + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + int i = 0; + for (; i < num_packets; i++) { + SCLogDebug("packet %d", i); + TimeGet(&p[i]->ts); + SigMatchSignatures(&th_v, de_ctx, det_ctx, p[i]); + if (UTHCheckPacketMatchResults(p[i], sid, (uint32_t *)&results[i][0], numsigs) == 0) + goto cleanup; + + TimeSetIncrementTime(2); + SCLogDebug("packet %d flag %s", i, p[i]->flags & PKT_HAS_TAG ? "true" : "false"); + + /* see if the PKT_HAS_TAG is set on the packet if needed */ + int expect; + if (i == 0 || i == 2 || i == 3 || i == 5 || i == 6) + expect = FALSE; + else + expect = TRUE; + if (((p[i]->flags & PKT_HAS_TAG) ? TRUE : FALSE) != expect) + goto cleanup; + } + + result = 1; + +cleanup: + UTHFreePackets(p, 7); + if (det_ctx != NULL) + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + + if (de_ctx != NULL) { + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + } +end: + HostShutdown(); + TagDestroyCtx(); + StorageCleanup(); + return result; +} + +/** + * \test host tagging: bytes + */ +static int DetectTagTestPacket03 (void) { + int result = 0; + uint8_t *buf = (uint8_t *)"Hi all!"; + uint8_t *buf2 = (uint8_t *)"lalala!"; + uint16_t buf_len = strlen((char *)buf); + uint16_t buf_len2 = strlen((char *)buf2); + + DecodeThreadVars dtv; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + memset(&dtv, 0, sizeof(DecodeThreadVars)); + memset(&th_v, 0, sizeof(th_v)); + + StorageInit(); + TagInitCtx(); + StorageFinalize(); + HostInitConfig(1); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + de_ctx->flags |= DE_QUIET; + + Packet *p[7]; + p[0] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[1] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[2] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.9", + 41424, 80); + p[3] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.9", + 41424, 80); + p[4] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.1", "192.168.1.9", + 41424, 80); + p[5] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.1", "192.168.1.11", + 41424, 80); + p[6] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.11", + 41424, 80); + + char *sigs[5]; + sigs[0]= "alert tcp any any -> any any (msg:\"Testing tag 1\"; content:\"Hi all\"; tag:host, 150, bytes, src; sid:1;)"; + sigs[1]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"Hi all\"; tag:host, 150, bytes, dst; sid:2;)"; + sigs[2]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:3;)"; + sigs[3]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:4;)"; + sigs[4]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:5;)"; + + /* Please, Notice that tagged data goes with sig_id = 1 and tag sig generator = 2 */ + uint32_t sid[5] = {1,2,3,4,5}; + int numsigs = 5; + + if (UTHAppendSigs(de_ctx, sigs, numsigs) == 0) + goto cleanup; + + int32_t results[7][5] = { + {1, 1, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0} + }; + + int num_packets = 7; + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + int i = 0; + for (; i < num_packets; i++) { + SigMatchSignatures(&th_v, de_ctx, det_ctx, p[i]); + + if (UTHCheckPacketMatchResults(p[i], sid, (uint32_t *)&results[i][0], numsigs) == 0) + goto cleanup; + + SCLogDebug("packet %d flag %s", i, p[i]->flags & PKT_HAS_TAG ? "true" : "false"); + + /* see if the PKT_HAS_TAG is set on the packet if needed */ + int expect; + if (i == 0 || i == 3 || i == 5 || i == 6) + expect = FALSE; + else + expect = TRUE; + if (((p[i]->flags & PKT_HAS_TAG) ? TRUE : FALSE) != expect) + goto cleanup; + } + + result = 1; + +cleanup: + UTHFreePackets(p, 7); + if (det_ctx != NULL) + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + + if (de_ctx != NULL) { + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + } +end: + HostShutdown(); + TagDestroyCtx(); + StorageCleanup(); + return result; +} + +/** + * \test session tagging: packets + */ +static int DetectTagTestPacket04 (void) { + int result = 0; + uint8_t *buf = (uint8_t *)"Hi all!"; + uint8_t *buf2 = (uint8_t *)"lalala!"; + uint16_t buf_len = strlen((char *)buf); + uint16_t buf_len2 = strlen((char *)buf2); + + Flow *f = NULL; + TcpSession ssn; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + StorageInit(); + TagInitCtx(); + StorageFinalize(); + HostInitConfig(1); + FlowInitConfig(1); + + f = FlowAlloc(); + BUG_ON(f == NULL); + FLOW_INITIALIZE(f); + f->protoctx = (void *)&ssn; + f->flags |= FLOW_IPV4; + if (inet_pton(AF_INET, "192.168.1.5", f->src.addr_data32) != 1) + goto end; + if (inet_pton(AF_INET, "192.168.1.1", f->dst.addr_data32) != 1) + goto end; + + DecodeThreadVars dtv; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + memset(&dtv, 0, sizeof(DecodeThreadVars)); + memset(&th_v, 0, sizeof(th_v)); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + de_ctx->flags |= DE_QUIET; + + Packet *p[7]; + p[0] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[1] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[2] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[3] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[4] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.1", "192.168.1.5", + 80, 41424); + p[5] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.1", "192.168.1.5", + 80, 41424); + p[6] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 80, 41424); + + char *sigs[5]; + sigs[0]= "alert tcp any any -> any any (msg:\"Testing tag 1\"; content:\"Hi all\"; tag:session,4,packets; sid:1;)"; + sigs[1]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"blahblah\"; sid:2;)"; + sigs[2]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:3;)"; + sigs[3]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:4;)"; + sigs[4]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:5;)"; + + /* Please, Notice that tagged data goes with sig_id = 1 and tag sig generator = 2 */ + uint32_t sid[5] = {1,2,3,4,5}; + int numsigs = 5; + + if (UTHAppendSigs(de_ctx, sigs, numsigs) == 0) + goto cleanup; + + int32_t results[7][5] = { + {1, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0} + }; + + int num_packets = 7; + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + int i = 0; + for (; i < num_packets; i++) { + p[i]->flow = f; + p[i]->flow->protoctx = &ssn; + SigMatchSignatures(&th_v, de_ctx, det_ctx, p[i]); + + if (UTHCheckPacketMatchResults(p[i], sid, (uint32_t *)&results[i][0], numsigs) == 0) + goto cleanup; + + SCLogDebug("packet %d flag %s", i, p[i]->flags & PKT_HAS_TAG ? "true" : "false"); + /* see if the PKT_HAS_TAG is set on the packet if needed */ + int expect; + if (i == 0 || i == 4 || i == 5 || i == 6) + expect = FALSE; + else + expect = TRUE; + if (((p[i]->flags & PKT_HAS_TAG) ? TRUE : FALSE) != expect) + goto cleanup; + } + + result = 1; + +cleanup: + UTHFreePackets(p, 7); + if (det_ctx != NULL) + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + + if (de_ctx != NULL) { + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + } + + /* clean up flow */ + uint8_t proto_map = FlowGetProtoMapping(f->proto); + FlowClearMemory(f, proto_map); + FLOW_DESTROY(f); +end: + FlowShutdown(); + HostShutdown(); + TagDestroyCtx(); + StorageCleanup(); + return result; +} + +/** + * \test session tagging: seconds + */ +static int DetectTagTestPacket05 (void) { + int result = 0; + uint8_t *buf = (uint8_t *)"Hi all!"; + uint8_t *buf2 = (uint8_t *)"lalala!"; + uint16_t buf_len = strlen((char *)buf); + uint16_t buf_len2 = strlen((char *)buf2); + + Flow *f = NULL; + TcpSession ssn; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + StorageInit(); + TagInitCtx(); + StorageFinalize(); + HostInitConfig(1); + FlowInitConfig(1); + + f = FlowAlloc(); + BUG_ON(f == NULL); + FLOW_INITIALIZE(f); + f->protoctx = (void *)&ssn; + f->flags |= FLOW_IPV4; + if (inet_pton(AF_INET, "192.168.1.5", f->src.addr_data32) != 1) + goto end; + if (inet_pton(AF_INET, "192.168.1.1", f->dst.addr_data32) != 1) + goto end; + + DecodeThreadVars dtv; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + memset(&dtv, 0, sizeof(DecodeThreadVars)); + memset(&th_v, 0, sizeof(th_v)); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + de_ctx->flags |= DE_QUIET; + + Packet *p[7]; + p[0] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[1] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[2] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[3] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[4] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.1", "192.168.1.5", + 80, 41424); + p[5] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.1", "192.168.1.5", + 80, 41424); + p[6] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 80, 41424); + + char *sigs[5]; + sigs[0]= "alert tcp any any -> any any (msg:\"Testing tag 1\"; content:\"Hi all\"; tag:session,8,seconds; sid:1;)"; + sigs[1]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"blahblah\"; sid:2;)"; + sigs[2]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:3;)"; + sigs[3]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:4;)"; + sigs[4]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:5;)"; + + /* Please, Notice that tagged data goes with sig_id = 1 and tag sig generator = 2 */ + uint32_t sid[5] = {1,2,3,4,5}; + int numsigs = 5; + + if (UTHAppendSigs(de_ctx, sigs, numsigs) == 0) + goto cleanup; + + int32_t results[7][5] = { + {1, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0} + }; + + int num_packets = 7; + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + int i = 0; + for (; i < num_packets; i++) { + p[i]->flow = f; + p[i]->flow->protoctx = &ssn; + + SCLogDebug("packet %d", i); + TimeGet(&p[i]->ts); + SigMatchSignatures(&th_v, de_ctx, det_ctx, p[i]); + + if (UTHCheckPacketMatchResults(p[i], sid, (uint32_t *)&results[i][0], numsigs) == 0) + goto cleanup; + + TimeSetIncrementTime(2); + + SCLogDebug("packet %d flag %s", i, p[i]->flags & PKT_HAS_TAG ? "true" : "false"); + /* see if the PKT_HAS_TAG is set on the packet if needed */ + int expect; + if (i == 0 || i == 5 || i == 6) + expect = FALSE; + else + expect = TRUE; + if (((p[i]->flags & PKT_HAS_TAG) ? TRUE : FALSE) != expect) + goto cleanup; + } + + result = 1; + +cleanup: + UTHFreePackets(p, 7); + if (det_ctx != NULL) + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + + if (de_ctx != NULL) { + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + } + + /* clean up flow */ + uint8_t proto_map = FlowGetProtoMapping(f->proto); + FlowClearMemory(f, proto_map); + FLOW_DESTROY(f); +end: + FlowShutdown(); + HostShutdown(); + TagDestroyCtx(); + StorageCleanup(); + return result; +} + +/** + * \test session tagging: bytes + */ +static int DetectTagTestPacket06 (void) { + int result = 0; + uint8_t *buf = (uint8_t *)"Hi all!"; + uint8_t *buf2 = (uint8_t *)"lalala!"; + uint16_t buf_len = strlen((char *)buf); + uint16_t buf_len2 = strlen((char *)buf2); + + Flow *f = NULL; + TcpSession ssn; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + StorageInit(); + TagInitCtx(); + StorageFinalize(); + HostInitConfig(1); + FlowInitConfig(1); + + f = FlowAlloc(); + BUG_ON(f == NULL); + FLOW_INITIALIZE(f); + f->protoctx = (void *)&ssn; + f->flags |= FLOW_IPV4; + if (inet_pton(AF_INET, "192.168.1.5", f->src.addr_data32) != 1) + goto end; + if (inet_pton(AF_INET, "192.168.1.1", f->dst.addr_data32) != 1) + goto end; + + DecodeThreadVars dtv; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + memset(&dtv, 0, sizeof(DecodeThreadVars)); + memset(&th_v, 0, sizeof(th_v)); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + de_ctx->flags |= DE_QUIET; + + Packet *p[7]; + p[0] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[1] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[2] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[3] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[4] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.1", "192.168.1.5", + 80, 41424); + p[5] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.1", "192.168.1.5", + 80, 41424); + p[6] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 80, 41424); + + char *sigs[5]; + sigs[0]= "alert tcp any any -> any any (msg:\"Testing tag 1\"; content:\"Hi all\"; tag:session,150,bytes; sid:1;)"; + sigs[1]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"blahblah\"; sid:2;)"; + sigs[2]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:3;)"; + sigs[3]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:4;)"; + sigs[4]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:5;)"; + + /* Please, Notice that tagged data goes with sig_id = 1 and tag sig generator = 2 */ + uint32_t sid[5] = {1,2,3,4,5}; + int numsigs = 5; + + if (UTHAppendSigs(de_ctx, sigs, numsigs) == 0) + goto cleanup; + + int32_t results[7][5] = { + {1, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0} + }; + + int num_packets = 7; + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + int i = 0; + for (; i < num_packets; i++) { + p[i]->flow = f; + p[i]->flow->protoctx = &ssn; + SigMatchSignatures(&th_v, de_ctx, det_ctx, p[i]); + + if (UTHCheckPacketMatchResults(p[i], sid, (uint32_t *)&results[i][0], numsigs) == 0) + goto cleanup; + + SCLogDebug("packet %d flag %s", i, p[i]->flags & PKT_HAS_TAG ? "true" : "false"); + + /* see if the PKT_HAS_TAG is set on the packet if needed */ + int expect; + if (i == 0 || i == 3 || i == 4 || i == 5 || i == 6) + expect = FALSE; + else + expect = TRUE; + if (((p[i]->flags & PKT_HAS_TAG) ? TRUE : FALSE) != expect) + goto cleanup; + } + + result = 1; + +cleanup: + UTHFreePackets(p, 7); + if (det_ctx != NULL) + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + + if (de_ctx != NULL) { + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + } + + /* clean up flow */ + uint8_t proto_map = FlowGetProtoMapping(f->proto); + FlowClearMemory(f, proto_map); + FLOW_DESTROY(f); +end: + FlowShutdown(); + HostShutdown(); + TagDestroyCtx(); + StorageCleanup(); + return result; +} + +/** + * \test session tagging: bytes, where a 2nd match makes us tag more + */ +static int DetectTagTestPacket07 (void) { + int result = 0; + uint8_t *buf = (uint8_t *)"Hi all!"; + uint8_t *buf2 = (uint8_t *)"lalala!"; + uint16_t buf_len = strlen((char *)buf); + uint16_t buf_len2 = strlen((char *)buf2); + + Flow *f = NULL; + TcpSession ssn; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + StorageInit(); + TagInitCtx(); + StorageFinalize(); + HostInitConfig(1); + FlowInitConfig(1); + + f = FlowAlloc(); + BUG_ON(f == NULL); + FLOW_INITIALIZE(f); + f->protoctx = (void *)&ssn; + f->flags |= FLOW_IPV4; + if (inet_pton(AF_INET, "192.168.1.5", f->src.addr_data32) != 1) + goto end; + if (inet_pton(AF_INET, "192.168.1.1", f->dst.addr_data32) != 1) + goto end; + + DecodeThreadVars dtv; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + memset(&dtv, 0, sizeof(DecodeThreadVars)); + memset(&th_v, 0, sizeof(th_v)); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + de_ctx->flags |= DE_QUIET; + + Packet *p[7]; + p[0] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[1] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[2] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[3] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 41424, 80); + p[4] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.1", "192.168.1.5", + 80, 41424); + p[5] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.1", "192.168.1.5", + 80, 41424); + p[6] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, + "192.168.1.5", "192.168.1.1", + 80, 41424); + + char *sigs[5]; + sigs[0]= "alert tcp any any -> any any (msg:\"Testing tag 1\"; content:\"Hi all\"; tag:session,150,bytes; sid:1;)"; + sigs[1]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"blahblah\"; sid:2;)"; + sigs[2]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:3;)"; + sigs[3]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:4;)"; + sigs[4]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:5;)"; + + /* Please, Notice that tagged data goes with sig_id = 1 and tag sig generator = 2 */ + uint32_t sid[5] = {1,2,3,4,5}; + int numsigs = 5; + + if (UTHAppendSigs(de_ctx, sigs, numsigs) == 0) + goto cleanup; + + int32_t results[7][5] = { + {1, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {1, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0} + }; + + int num_packets = 7; + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + int i = 0; + for (; i < num_packets; i++) { + p[i]->flow = f; + p[i]->flow->protoctx = &ssn; + SigMatchSignatures(&th_v, de_ctx, det_ctx, p[i]); + + if (UTHCheckPacketMatchResults(p[i], sid, (uint32_t *)&results[i][0], numsigs) == 0) + goto cleanup; + + SCLogDebug("packet %d flag %s", i, p[i]->flags & PKT_HAS_TAG ? "true" : "false"); +#if 1 + /* see if the PKT_HAS_TAG is set on the packet if needed */ + int expect; + if (i == 0 || i == 6) + expect = FALSE; + else + expect = TRUE; + if (((p[i]->flags & PKT_HAS_TAG) ? TRUE : FALSE) != expect) + goto cleanup; +#endif + } + + result = 1; + +cleanup: + UTHFreePackets(p, 7); + if (det_ctx != NULL) + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + + if (de_ctx != NULL) { + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + } + + /* clean up flow */ + uint8_t proto_map = FlowGetProtoMapping(f->proto); + FlowClearMemory(f, proto_map); + FLOW_DESTROY(f); +end: + FlowShutdown(); + HostShutdown(); + TagDestroyCtx(); + StorageCleanup(); + return result; +} + +#endif /* UNITTESTS */ + +/** + * \brief this function registers unit tests for DetectTag + */ +void DetectEngineTagRegisterTests(void) { +#ifdef UNITTESTS + UtRegisterTest("DetectTagTestPacket01", DetectTagTestPacket01, 1); + UtRegisterTest("DetectTagTestPacket02", DetectTagTestPacket02, 1); + UtRegisterTest("DetectTagTestPacket03", DetectTagTestPacket03, 1); + UtRegisterTest("DetectTagTestPacket04", DetectTagTestPacket04, 1); + UtRegisterTest("DetectTagTestPacket05", DetectTagTestPacket05, 1); + UtRegisterTest("DetectTagTestPacket06", DetectTagTestPacket06, 1); + UtRegisterTest("DetectTagTestPacket07", DetectTagTestPacket07, 1); +#endif /* UNITTESTS */ +} + diff --git a/src/detect-engine-tag.h b/src/detect-engine-tag.h index e9571b85d9..93243cef1e 100644 --- a/src/detect-engine-tag.h +++ b/src/detect-engine-tag.h @@ -56,6 +56,8 @@ int TagTimeoutCheck(Host *, struct timeval *); int TagHostHasTag(Host *host); +void DetectEngineTagRegisterTests(void); + #endif /* __DETECT_ENGINE_TAG_H__ */ diff --git a/src/detect-tag.c b/src/detect-tag.c index 50e2740e27..64fcac65ef 100644 --- a/src/detect-tag.c +++ b/src/detect-tag.c @@ -139,7 +139,7 @@ int DetectTagMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Si /* If it already exists it will be updated */ tde.sid = s->id; tde.gid = s->gid; - tde.last_ts = tde.first_ts = p->ts.tv_usec; + tde.last_ts = tde.first_ts = p->ts.tv_sec; tde.metric = td->metric; tde.count = td->count; @@ -460,390 +460,6 @@ int DetectTagTestParse05 (void) { return result; } - -/** - * \test DetectTagTestPacket01 is a test to check tagged hosts - */ -int DetectTagTestPacket01 (void) { - int result = 0; - uint8_t *buf = (uint8_t *)"Hi all!"; - uint8_t *buf2 = (uint8_t *)"lalala!"; - uint16_t buf_len = strlen((char *)buf); - uint16_t buf_len2 = strlen((char *)buf2); - - Packet *p[7]; - p[0] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[2] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.9", - 41424, 80); - p[3] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.9", - 41424, 80); - p[4] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.9", - 41424, 80); - p[5] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.11", - 41424, 80); - p[6] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.11", - 41424, 80); - - char *sigs[5]; - sigs[0]= "alert tcp any any -> any any (msg:\"Testing tag 1\"; content:\"Hi all\"; tag:host, 3, packets, src; sid:4;)"; - sigs[1]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"Hi all\"; tag:host, 4, packets, dst; sid:5;)"; - sigs[2]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:3;)"; - sigs[3]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:6;)"; - sigs[4]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:2;)"; - - /* Please, Notice that tagged data goes with sig_id = 1 and tag sig generator = 2 */ - uint32_t sid[5] = {1,2,3,4,5}; - - int32_t results[7][5] = { - {0, 0, 0, 1, 1}, - {1, 0, 0, 0, 0}, - {1, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {1, 0, 0, 0, 0}, - {1, 0, 0, 0, 0}, - {0, 0, 0, 0, 0} - }; - result = UTHGenericTest(p, 7, sigs, sid, (uint32_t *) results, 5); - - UTHFreePackets(p, 7); - - TagRestartCtx(); - return result; -} - -/** - * \test DetectTagTestPacket02 is a test to check tagged hosts - */ -int DetectTagTestPacket02 (void) { - int result = 0; - uint8_t *buf = (uint8_t *)"Hi all!"; - uint8_t *buf2 = (uint8_t *)"lalala!"; - uint16_t buf_len = strlen((char *)buf); - uint16_t buf_len2 = strlen((char *)buf2); - - DecodeThreadVars dtv; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - memset(&dtv, 0, sizeof(DecodeThreadVars)); - memset(&th_v, 0, sizeof(th_v)); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) { - goto end; - } - de_ctx->flags |= DE_QUIET; - - Packet *p[7]; - p[0] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[2] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.9", - 41424, 80); - p[3] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.9", - 41424, 80); - p[4] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.9", - 41424, 80); - p[5] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.11", - 41424, 80); - p[6] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.11", - 41424, 80); - - char *sigs[5]; - sigs[0]= "alert tcp any any -> any any (msg:\"Testing tag 1\"; content:\"Hi all\"; tag:host, 3, seconds, src; sid:4;)"; - sigs[1]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"Hi all\"; tag:host, 4, seconds, dst; sid:5;)"; - sigs[2]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:3;)"; - sigs[3]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:6;)"; - sigs[4]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:2;)"; - - /* Please, Notice that tagged data goes with sig_id = 1 and tag sig generator = 2 */ - uint32_t sid[5] = {1,2,3,4,5}; - int numsigs = 5; - - if (UTHAppendSigs(de_ctx, sigs, numsigs) == 0) - goto cleanup; - - //de_ctx->flags |= DE_QUIET; - - int32_t results[7][5] = { - {0, 0, 0, 1, 1}, - {1, 0, 0, 0, 0}, - {1, 0, 0, 0, 0}, - {1, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0} - }; - - int num_packets = 7; - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - int i = 0; - for (; i < num_packets; i++) { - SigMatchSignatures(&th_v, de_ctx, det_ctx, p[i]); - if (UTHCheckPacketMatchResults(p[i], sid, (uint32_t *)&results[i][0], numsigs) == 0) - goto cleanup; - if (i == 3) - TimeSetIncrementTime(10); - } - - result = 1; - -cleanup: - UTHFreePackets(p, 7); - if (det_ctx != NULL) - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } -end: - TagRestartCtx(); - return result; -} - -/** - * \test DetectTagTestPacket03 is a test to check tagged hosts - */ -int DetectTagTestPacket03 (void) { - int result = 0; - uint8_t *buf = (uint8_t *)"Hi all!"; - uint8_t *buf2 = (uint8_t *)"lalala!"; - uint16_t buf_len = strlen((char *)buf); - uint16_t buf_len2 = strlen((char *)buf2); - - DecodeThreadVars dtv; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - memset(&dtv, 0, sizeof(DecodeThreadVars)); - memset(&th_v, 0, sizeof(th_v)); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) { - goto end; - } - de_ctx->flags |= DE_QUIET; - - Packet *p[7]; - p[0] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[2] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.9", - 41424, 80); - p[3] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.9", - 41424, 80); - p[4] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.9", - 41424, 80); - p[5] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.11", - 41424, 80); - p[6] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.11", - 41424, 80); - - char *sigs[5]; - sigs[0]= "alert tcp any any -> any any (msg:\"Testing tag 1\"; content:\"Hi all\"; tag:host, 150, bytes, src; sid:4;)"; - sigs[1]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"Hi all\"; tag:host, 150, bytes, dst; sid:5;)"; - sigs[2]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:3;)"; - sigs[3]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:6;)"; - sigs[4]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:2;)"; - - /* Please, Notice that tagged data goes with sig_id = 1 and tag sig generator = 2 */ - uint32_t sid[5] = {1,2,3,4,5}; - int numsigs = 5; - - if (UTHAppendSigs(de_ctx, sigs, numsigs) == 0) - goto cleanup; - - //de_ctx->flags |= DE_QUIET; - - int32_t results[7][5] = { - {0, 0, 0, 1, 1}, - {1, 0, 0, 0, 0}, - {1, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {1, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0} - }; - - int num_packets = 7; - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - uint32_t sum = 0; - int i = 0; - for (; i < num_packets; i++) { - SigMatchSignatures(&th_v, de_ctx, det_ctx, p[i]); - sum += GET_PKT_LEN(p[i]); - //printf("Sum %"PRIu32"\n", sum); - if (UTHCheckPacketMatchResults(p[i], sid, (uint32_t *)&results[i][0], numsigs) == 0) - goto cleanup; - } - - result = 1; - -cleanup: - UTHFreePackets(p, 7); - if (det_ctx != NULL) - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } -end: - TagRestartCtx(); - return result; -} - -/** - * \test DetectTagTestPacket04 is a test to check tagged hosts - */ -int DetectTagTestPacket04 (void) { - int result = 0; - uint8_t *buf = (uint8_t *)"Hi all!"; - uint8_t *buf2 = (uint8_t *)"lalala!"; - uint16_t buf_len = strlen((char *)buf); - uint16_t buf_len2 = strlen((char *)buf2); - - Flow f; - TcpSession ssn; - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.flags |= FLOW_IPV4; - if (inet_pton(AF_INET, "192.168.1.5", f.src.addr_data32) != 1) - goto end; - if (inet_pton(AF_INET, "192.168.1.1", f.dst.addr_data32) != 1) - goto end; - - DecodeThreadVars dtv; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - memset(&dtv, 0, sizeof(DecodeThreadVars)); - memset(&th_v, 0, sizeof(th_v)); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) { - goto end; - } - de_ctx->flags |= DE_QUIET; - - Packet *p[7]; - p[0] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[2] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[3] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[4] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[5] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[6] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 80, 41424); - - char *sigs[5]; - sigs[0]= "alert tcp any any -> any any (msg:\"Testing tag 1\"; content:\"Hi all\"; tag:session, 5, packets; sid:4;)"; - sigs[1]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"blahblah\"; sid:5;)"; - sigs[2]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:3;)"; - sigs[3]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:6;)"; - sigs[4]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:2;)"; - - /* Please, Notice that tagged data goes with sig_id = 1 and tag sig generator = 2 */ - uint32_t sid[5] = {1,2,3,4,5}; - int numsigs = 5; - - if (UTHAppendSigs(de_ctx, sigs, numsigs) == 0) - goto cleanup; - - //de_ctx->flags |= DE_QUIET; - - int32_t results[7][5] = { - {0, 0, 0, 1, 0}, - {1, 0, 0, 0, 0}, - {1, 0, 0, 0, 0}, - {1, 0, 0, 0, 0}, - {1, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0} - }; - - int num_packets = 7; - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - uint32_t sum = 0; - int i = 0; - for (; i < num_packets; i++) { - p[i]->flow = &f; - p[i]->flow->protoctx = &ssn; - SigMatchSignatures(&th_v, de_ctx, det_ctx, p[i]); - sum += GET_PKT_LEN(p[i]); - //printf("Sum %"PRIu32"\n", sum); - if (UTHCheckPacketMatchResults(p[i], sid, (uint32_t *)&results[i][0], numsigs) == 0) - goto cleanup; - } - - result = 1; - -cleanup: - UTHFreePackets(p, 7); - if (det_ctx != NULL) - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - - FLOW_DESTROY(&f); -end: - TagRestartCtx(); - return result; -} - #endif /* UNITTESTS */ /** @@ -857,17 +473,7 @@ void DetectTagRegisterTests(void) { UtRegisterTest("DetectTagTestParse04", DetectTagTestParse04, 1); UtRegisterTest("DetectTagTestParse05", DetectTagTestParse05, 1); -#if 0 - As we have changed the way of handling tags, now we do not get an alert - of a tagged packet, but the unified plugins write the tags. Now we reach - the flag of p->flags & PACKET_HAS_TAG, but we do not know which signature - triggered the tag, so this unittests needs to be updated, at least to - check the packets one by one for the TAG flag - UtRegisterTest("DetectTagTestPacket01", DetectTagTestPacket01, 1); - UtRegisterTest("DetectTagTestPacket02", DetectTagTestPacket02, 1); - UtRegisterTest("DetectTagTestPacket03", DetectTagTestPacket03, 1); - UtRegisterTest("DetectTagTestPacket04", DetectTagTestPacket04, 1); -#endif + DetectEngineTagRegisterTests(); #endif /* UNITTESTS */ } -- 2.47.2