return res;
}
-/**
- * \test Check that we handle the "pass" action
- * correctly at the IP Only engine in the default case
- */
-static int UtilActionTest08(void)
-{
- int res = 0;
- uint8_t buf[] = "Hi all!";
- uint16_t buflen = sizeof(buf) - 1;
- Packet *p[3];
- p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
- p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.1", "192.168.1.5",
- 80, 41424);
- p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
-
- if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
- goto end;
-
- const char *sigs[3];
- sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; sid:1;)";
- sigs[1]= "pass ip 192.168.1.1 80 -> any any (msg:\"sig 2\"; sid:2;)";
- sigs[2]= "alert ip any any -> any any (msg:\"sig 3\"; sid:3;)";
-
- uint32_t sid[3] = {1, 2, 3};
-
- uint32_t results[3][3] = {
- {1, 0, 1},
- {0, 0, 0},
- {1, 0, 1} };
- /* This means that with the second packet, the results will be
- * all ({0,0,0}) since, we should match the "pass" rule first
- */
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto cleanup;
- de_ctx->flags |= DE_QUIET;
-
- if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
- goto cleanup;
-
- SCSigRegisterSignatureOrderingFuncs(de_ctx);
- SCSigOrderSignatures(de_ctx);
-
- res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
-
-cleanup:
- UTHFreePackets(p, 3);
-
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
-end:
- return res;
-}
-
-/**
- * \test Check that we handle the "pass" action
- * correctly at the IP Only engine with more
- * prio to drop
- */
-static int UtilActionTest09(void)
-{
- int res = 1;
- uint8_t buf[] = "Hi all!";
- uint16_t buflen = sizeof(buf) - 1;
- Packet *p[3];
-
- action_order_sigs[0] = ACTION_DROP;
- action_order_sigs[1] = ACTION_PASS;
- action_order_sigs[2] = ACTION_REJECT;
- action_order_sigs[3] = ACTION_ALERT;
-
- p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
- p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.1", "192.168.1.5",
- 80, 41424);
- p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
-
- if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
- goto end;
-
- const char *sigs[3];
- sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; sid:1;)";
- sigs[1]= "pass ip 192.168.1.1 80 -> any any (msg:\"sig 2\"; sid:2;)";
- sigs[2]= "drop ip any any -> any any (msg:\"sig 3\"; sid:3;)";
-
- uint32_t sid[3] = {1, 2, 3};
-
- uint32_t results[3][3] = {
- {1, 0, 1},
- {0, 0, 1},
- {1, 0, 1} };
- /* This means that with the second packet, the results will be
- * all ({0,0,1}) since, we should match the "drop" rule first.
- * Later the "pass" rule will avoid the "alert" rule match
- */
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto cleanup;
- de_ctx->flags |= DE_QUIET;
-
- if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
- goto cleanup;
-
- SCSigRegisterSignatureOrderingFuncs(de_ctx);
- SCSigOrderSignatures(de_ctx);
-
- res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
-
-cleanup:
- UTHFreePackets(p, 3);
-
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
-end:
- /* Restore default values */
- action_order_sigs[0] = ACTION_PASS;
- action_order_sigs[1] = ACTION_DROP;
- action_order_sigs[2] = ACTION_REJECT;
- action_order_sigs[3] = ACTION_ALERT;
- return res;
-}
-
-/**
- * \test Check that we handle the "pass" action
- * correctly at the detection engine in the default case
- */
-static int UtilActionTest10(void)
-{
- int res = 0;
- uint8_t buf[] = "Hi all!";
- uint16_t buflen = sizeof(buf) - 1;
- uint8_t buf2[] = "wo!";
- uint16_t buflen2 = sizeof(buf2) - 1;
- Packet *p[3];
- p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
- p[1] = UTHBuildPacketReal((uint8_t *)buf2, buflen2, IPPROTO_TCP,
- "192.168.1.1", "192.168.1.5",
- 80, 41424);
- p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
-
- if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
- goto end;
-
- const char *sigs[3];
- sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)";
- sigs[1]= "pass ip any any -> any any (msg:\"sig 2\"; content:\"wo\"; sid:2;)";
- sigs[2]= "alert ip any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)";
-
- uint32_t sid[3] = {1, 2, 3};
-
- uint32_t results[3][3] = {
- {1, 0, 1},
- {0, 0, 0},
- {1, 0, 1} };
- /* This means that with the second packet, the results will be
- * all ({0,0,0}) since, we should match the "pass" rule first
- */
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto cleanup;
- de_ctx->flags |= DE_QUIET;
-
- if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
- goto cleanup;
-
- SCSigRegisterSignatureOrderingFuncs(de_ctx);
- SCSigOrderSignatures(de_ctx);
-
- res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
-
-cleanup:
- UTHFreePackets(p, 3);
-
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
-end:
- return res;
-}
-
-/**
- * \test Check that we handle the "pass" action
- * correctly at the detection engine with more
- * prio to drop
- */
-static int UtilActionTest11(void)
-{
- int res = 1;
- uint8_t buf[] = "Hi all!";
- uint16_t buflen = sizeof(buf) - 1;
- uint8_t buf2[] = "Hi all wo!";
- uint16_t buflen2 = sizeof(buf2) - 1;
- Packet *p[3];
-
- action_order_sigs[0] = ACTION_DROP;
- action_order_sigs[1] = ACTION_PASS;
- action_order_sigs[2] = ACTION_REJECT;
- action_order_sigs[3] = ACTION_ALERT;
-
- p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
- p[1] = UTHBuildPacketReal((uint8_t *)buf2, buflen2, IPPROTO_TCP,
- "192.168.1.1", "192.168.1.5",
- 80, 41424);
- p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
-
- if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
- goto end;
-
- const char *sigs[3];
- sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)";
- sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"wo\"; sid:2;)";
- sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)";
-
- uint32_t sid[3] = {1, 2, 3};
-
- uint32_t results[3][3] = {
- {1, 0, 1},
- {0, 0, 1},
- {1, 0, 1} };
- /* This means that with the second packet, the results will be
- * all ({0,0,1}) since, we should match the "drop" rule first.
- * Later the "pass" rule will avoid the "alert" rule match
- */
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto cleanup;
- de_ctx->flags |= DE_QUIET;
-
- if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
- goto cleanup;
-
- SCSigRegisterSignatureOrderingFuncs(de_ctx);
- SCSigOrderSignatures(de_ctx);
-
- res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
-
-cleanup:
- UTHFreePackets(p, 3);
-
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
-end:
- /* Restore default values */
- action_order_sigs[0] = ACTION_PASS;
- action_order_sigs[1] = ACTION_DROP;
- action_order_sigs[2] = ACTION_REJECT;
- action_order_sigs[3] = ACTION_ALERT;
- return res;
-}
-
-/**
- * \test Check that we handle the "pass" action
- * correctly at the detection engine in the default case
- */
-static int UtilActionTest12(void)
-{
- int res = 0;
- uint8_t buf[] = "Hi all!";
- uint16_t buflen = sizeof(buf) - 1;
- Packet *p[3];
- p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
- p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.1", "192.168.1.5",
- 80, 41424);
- p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
-
- if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
- goto end;
-
- const char *sigs[3];
- sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; sid:1;)";
- sigs[1]= "pass ip any any -> any any (msg:\"Testing normal 2\"; sid:2;)";
- sigs[2]= "alert ip any any -> any any (msg:\"sig 3\"; sid:3;)";
-
- uint32_t sid[3] = {1, 2, 3};
-
- uint32_t results[3][3] = {
- {0, 0, 0},
- {0, 0, 0},
- {0, 0, 0} };
- /* All should match the 3 sigs, but the action pass has prio */
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto cleanup;
- de_ctx->flags |= DE_QUIET;
-
- if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
- goto cleanup;
-
- SCSigRegisterSignatureOrderingFuncs(de_ctx);
- SCSigOrderSignatures(de_ctx);
-
- res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
-
-cleanup:
- UTHFreePackets(p, 3);
-
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
-end:
- return res;
-}
-
-/**
- * \test Check that we handle the "pass" action
- * correctly at the detection engine with more
- * prio to drop
- */
-static int UtilActionTest13(void)
-{
- int res = 1;
- uint8_t buf[] = "Hi all!";
- uint16_t buflen = sizeof(buf) - 1;
- Packet *p[3];
-
- action_order_sigs[0] = ACTION_DROP;
- action_order_sigs[1] = ACTION_PASS;
- action_order_sigs[2] = ACTION_REJECT;
- action_order_sigs[3] = ACTION_ALERT;
-
- p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
- p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.1", "192.168.1.5",
- 80, 41424);
- p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
-
- if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
- goto end;
-
- const char *sigs[3];
- sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)";
- sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
- sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)";
-
- uint32_t sid[3] = {1, 2, 3};
-
- uint32_t results[3][3] = {
- {0, 0, 1},
- {0, 0, 1},
- {0, 0, 1} };
- /* All the packets should match the 3 sigs. As drop has more
- * priority than pass, it should alert on each packet */
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto cleanup;
- de_ctx->flags |= DE_QUIET;
-
- if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
- goto cleanup;
-
- SCSigRegisterSignatureOrderingFuncs(de_ctx);
- SCSigOrderSignatures(de_ctx);
-
- res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
-
-cleanup:
- UTHFreePackets(p, 3);
-
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
-end:
- /* Restore default values */
- action_order_sigs[0] = ACTION_PASS;
- action_order_sigs[1] = ACTION_DROP;
- action_order_sigs[2] = ACTION_REJECT;
- action_order_sigs[3] = ACTION_ALERT;
- return res;
-}
-
-/**
- * \test Check that we handle the "pass" action
- * correctly at the detection engine with more
- * prio to drop and alert
- */
-static int UtilActionTest14(void)
-{
- int res = 1;
- uint8_t buf[] = "Hi all!";
- uint16_t buflen = sizeof(buf) - 1;
- Packet *p[3];
-
- action_order_sigs[0] = ACTION_DROP;
- action_order_sigs[1] = ACTION_ALERT;
- action_order_sigs[2] = ACTION_REJECT;
- action_order_sigs[3] = ACTION_PASS;
-
- p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
- p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.1", "192.168.1.5",
- 80, 41424);
- p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
-
- if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
- goto end;
-
- const char *sigs[3];
- sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)";
- sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
- sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)";
-
- uint32_t sid[3] = {1, 2, 3};
-
- uint32_t results[3][3] = {
- {1, 0, 1},
- {1, 0, 1},
- {1, 0, 1} };
- /* All the packets should match the 3 sigs. As drop
- * and alert have more priority than pass, both should
- * alert on each packet */
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto cleanup;
- de_ctx->flags |= DE_QUIET;
-
- if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
- goto cleanup;
-
- SCSigRegisterSignatureOrderingFuncs(de_ctx);
- SCSigOrderSignatures(de_ctx);
-
- res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
-
-cleanup:
- UTHFreePackets(p, 3);
-
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
-end:
- /* Restore default values */
- action_order_sigs[0] = ACTION_PASS;
- action_order_sigs[1] = ACTION_DROP;
- action_order_sigs[2] = ACTION_REJECT;
- action_order_sigs[3] = ACTION_ALERT;
- return res;
-}
-
-/**
- * \test Check mixed sigs (iponly and normal)
- */
-static int UtilActionTest15(void)
-{
- int res = 1;
- uint8_t buf[] = "Hi all!";
- uint16_t buflen = sizeof(buf) - 1;
- Packet *p[3];
-
- p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
- p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.1", "192.168.1.5",
- 80, 41424);
- p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
-
- if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
- goto end;
-
- const char *sigs[3];
- sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
- sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
- sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
-
- uint32_t sid[3] = {1, 2, 3};
-
- uint32_t results[3][3] = {
- {0, 0, 0},
- {0, 0, 0},
- {0, 0, 0} };
- /* All the packets should match the 3 sigs. As drop
- * and alert have more priority than pass, both should
- * alert on each packet */
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto cleanup;
- de_ctx->flags |= DE_QUIET;
-
- if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
- goto cleanup;
-
- SCSigRegisterSignatureOrderingFuncs(de_ctx);
- SCSigOrderSignatures(de_ctx);
-
- res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
-
-cleanup:
- UTHFreePackets(p, 3);
-
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
-end:
- return res;
-}
-
-/**
- * \test Check mixed sigs (iponly and normal)
- */
-static int UtilActionTest16(void)
-{
- int res = 1;
- uint8_t buf[] = "Hi all!";
- uint16_t buflen = sizeof(buf) - 1;
- Packet *p[3];
-
- p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
- p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.1", "192.168.1.5",
- 80, 41424);
- p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
-
- if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
- goto end;
-
- const char *sigs[3];
- sigs[0]= "drop tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
- sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
- sigs[2]= "pass tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
-
- uint32_t sid[3] = {1, 2, 3};
-
- uint32_t results[3][3] = {
- {0, 0, 0},
- {0, 0, 0},
- {0, 0, 0} };
- /* All the packets should match the 3 sigs. As drop
- * and alert have more priority than pass, both should
- * alert on each packet */
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto cleanup;
- de_ctx->flags |= DE_QUIET;
-
- if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
- goto cleanup;
-
- SCSigRegisterSignatureOrderingFuncs(de_ctx);
- SCSigOrderSignatures(de_ctx);
-
- res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
-
-cleanup:
- UTHFreePackets(p, 3);
-
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
-end:
- return res;
-}
-
-/**
- * \test Check mixed sigs (iponly and normal)
- */
-static int UtilActionTest17(void)
-{
- int res = 1;
- uint8_t buf[] = "Hi all!";
- uint16_t buflen = sizeof(buf) - 1;
- Packet *p[3];
-
- p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
- p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.1", "192.168.1.5",
- 80, 41424);
- p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
-
- if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
- goto end;
-
- const char *sigs[3];
- sigs[0]= "pass tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
- sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
- sigs[2]= "alert tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
-
- uint32_t sid[3] = {1, 2, 3};
-
- uint32_t results[3][3] = {
- {0, 0, 0},
- {0, 0, 0},
- {0, 0, 0} };
- /* All the packets should match the 3 sigs. As drop
- * and alert have more priority than pass, both should
- * alert on each packet */
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto cleanup;
- de_ctx->flags |= DE_QUIET;
-
- if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
- goto cleanup;
-
- SCSigRegisterSignatureOrderingFuncs(de_ctx);
- SCSigOrderSignatures(de_ctx);
-
- res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
-
-cleanup:
- UTHFreePackets(p, 3);
-
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
-end:
- return res;
-}
-
-/**
- * \test Check mixed sigs (iponly and normal) with more prio for drop
- */
-static int UtilActionTest18(void)
-{
- int res = 1;
- uint8_t buf[] = "Hi all!";
- uint16_t buflen = sizeof(buf) - 1;
- Packet *p[3];
-
- action_order_sigs[0] = ACTION_DROP;
- action_order_sigs[1] = ACTION_PASS;
- action_order_sigs[2] = ACTION_REJECT;
- action_order_sigs[3] = ACTION_ALERT;
-
- p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
- p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.1", "192.168.1.5",
- 80, 41424);
- p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
-
- if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
- goto end;
-
- const char *sigs[3];
- sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
- sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
- sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
-
- uint32_t sid[3] = {1, 2, 3};
-
- uint32_t results[3][3] = {
- {0, 0, 1},
- {0, 0, 1},
- {0, 0, 1} };
- /* All the packets should match the 3 sigs. As drop
- * and alert have more priority than pass, both should
- * alert on each packet */
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto cleanup;
- de_ctx->flags |= DE_QUIET;
-
- if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
- goto cleanup;
-
- SCSigRegisterSignatureOrderingFuncs(de_ctx);
- SCSigOrderSignatures(de_ctx);
-
- res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
-
-cleanup:
- UTHFreePackets(p, 3);
-
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
-end:
- /* Restore default values */
- action_order_sigs[0] = ACTION_PASS;
- action_order_sigs[1] = ACTION_DROP;
- action_order_sigs[2] = ACTION_REJECT;
- action_order_sigs[3] = ACTION_ALERT;
-
- return res;
-}
-
-/**
- * \test Check mixed sigs (iponly and normal) with more prio for drop
- */
-static int UtilActionTest19(void)
-{
- int res = 1;
- uint8_t buf[] = "Hi all!";
- uint16_t buflen = sizeof(buf) - 1;
- Packet *p[3];
-
- action_order_sigs[0] = ACTION_DROP;
- action_order_sigs[1] = ACTION_PASS;
- action_order_sigs[2] = ACTION_REJECT;
- action_order_sigs[3] = ACTION_ALERT;
-
- p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
- p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.1", "192.168.1.5",
- 80, 41424);
- p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
-
- if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
- goto end;
-
- const char *sigs[3];
- sigs[0]= "drop tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
- sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
- sigs[2]= "pass tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
-
- uint32_t sid[3] = {1, 2, 3};
-
- uint32_t results[3][3] = {
- {1, 0, 0},
- {1, 0, 0},
- {1, 0, 0} };
- /* All the packets should match the 3 sigs. As drop
- * and alert have more priority than pass, both should
- * alert on each packet */
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto cleanup;
- de_ctx->flags |= DE_QUIET;
-
- if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
- goto cleanup;
-
- SCSigRegisterSignatureOrderingFuncs(de_ctx);
- SCSigOrderSignatures(de_ctx);
-
- res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
-
-cleanup:
- UTHFreePackets(p, 3);
-
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
-end:
- /* Restore default values */
- action_order_sigs[0] = ACTION_PASS;
- action_order_sigs[1] = ACTION_DROP;
- action_order_sigs[2] = ACTION_REJECT;
- action_order_sigs[3] = ACTION_ALERT;
-
- return res;
-}
-
-/**
- * \test Check mixed sigs (iponly and normal) with more prio for drop
- */
-static int UtilActionTest20(void)
-{
- int res = 1;
- uint8_t buf[] = "Hi all!";
- uint16_t buflen = sizeof(buf) - 1;
- Packet *p[3];
-
- action_order_sigs[0] = ACTION_DROP;
- action_order_sigs[1] = ACTION_PASS;
- action_order_sigs[2] = ACTION_REJECT;
- action_order_sigs[3] = ACTION_ALERT;
-
- p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
- p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.1", "192.168.1.5",
- 80, 41424);
- p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
-
- if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
- goto end;
-
- const char *sigs[3];
- sigs[0]= "pass tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
- sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
- sigs[2]= "alert tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
-
- uint32_t sid[3] = {1, 2, 3};
-
- uint32_t results[3][3] = {
- {0, 1, 0},
- {0, 1, 0},
- {0, 1, 0} };
- /* All the packets should match the 3 sigs. As drop
- * and alert have more priority than pass, both should
- * alert on each packet */
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto cleanup;
- de_ctx->flags |= DE_QUIET;
-
- if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
- goto cleanup;
-
- SCSigRegisterSignatureOrderingFuncs(de_ctx);
- SCSigOrderSignatures(de_ctx);
-
- res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
-
-cleanup:
- UTHFreePackets(p, 3);
-
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
-end:
- return res;
-}
-
-/**
- * \test Check mixed sigs (iponly and normal) with more prio for alert and drop
- */
-static int UtilActionTest21(void)
-{
- int res = 1;
- uint8_t buf[] = "Hi all!";
- uint16_t buflen = sizeof(buf) - 1;
- Packet *p[3];
-
- action_order_sigs[0] = ACTION_DROP;
- action_order_sigs[1] = ACTION_ALERT;
- action_order_sigs[2] = ACTION_REJECT;
- action_order_sigs[3] = ACTION_PASS;
-
- p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
- p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.1", "192.168.1.5",
- 80, 41424);
- p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
-
- if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
- goto end;
-
- const char *sigs[3];
- sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
- sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
- sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
-
- uint32_t sid[3] = {1, 2, 3};
-
- uint32_t results[3][3] = {
- {1, 0, 1},
- {1, 0, 1},
- {1, 0, 1} };
- /* All the packets should match the 3 sigs. As drop
- * and alert have more priority than pass, both should
- * alert on each packet */
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto cleanup;
- de_ctx->flags |= DE_QUIET;
-
- if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
- goto cleanup;
-
- SCSigRegisterSignatureOrderingFuncs(de_ctx);
- SCSigOrderSignatures(de_ctx);
-
- res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
-
-cleanup:
- UTHFreePackets(p, 3);
-
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
-end:
- /* Restore default values */
- action_order_sigs[0] = ACTION_PASS;
- action_order_sigs[1] = ACTION_DROP;
- action_order_sigs[2] = ACTION_REJECT;
- action_order_sigs[3] = ACTION_ALERT;
-
- return res;
-}
-
-/**
- * \test Check mixed sigs (iponly and normal) with more prio for alert and drop
- */
-static int UtilActionTest22(void)
-{
- int res = 1;
- uint8_t buf[] = "Hi all!";
- uint16_t buflen = sizeof(buf) - 1;
- Packet *p[3];
-
- action_order_sigs[0] = ACTION_DROP;
- action_order_sigs[1] = ACTION_ALERT;
- action_order_sigs[2] = ACTION_REJECT;
- action_order_sigs[3] = ACTION_PASS;
-
- p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
- p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.1", "192.168.1.5",
- 80, 41424);
- p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
-
- if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
- goto end;
-
- const char *sigs[3];
- sigs[0]= "drop tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
- sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
- sigs[2]= "pass tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
-
- uint32_t sid[3] = {1, 2, 3};
-
- uint32_t results[3][3] = {
- {1, 1, 0},
- {1, 1, 0},
- {1, 1, 0} };
- /* All the packets should match the 3 sigs. As drop
- * and alert have more priority than pass, both should
- * alert on each packet */
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto cleanup;
- de_ctx->flags |= DE_QUIET;
-
- if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
- goto cleanup;
-
- SCSigRegisterSignatureOrderingFuncs(de_ctx);
- SCSigOrderSignatures(de_ctx);
-
- res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
-
-cleanup:
- UTHFreePackets(p, 3);
-
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
-end:
- /* Restore default values */
- action_order_sigs[0] = ACTION_PASS;
- action_order_sigs[1] = ACTION_DROP;
- action_order_sigs[2] = ACTION_REJECT;
- action_order_sigs[3] = ACTION_ALERT;
-
- return res;
-}
-
-/**
- * \test Check mixed sigs (iponly and normal) with more prio for alert and drop
- */
-static int UtilActionTest23(void)
-{
- int res = 1;
- uint8_t buf[] = "Hi all!";
- uint16_t buflen = sizeof(buf) - 1;
- Packet *p[3];
-
- action_order_sigs[0] = ACTION_DROP;
- action_order_sigs[1] = ACTION_ALERT;
- action_order_sigs[2] = ACTION_REJECT;
- action_order_sigs[3] = ACTION_PASS;
-
- p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
- p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.1", "192.168.1.5",
- 80, 41424);
- p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
- "192.168.1.5", "192.168.1.1",
- 41424, 80);
-
- if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
- goto end;
-
- const char *sigs[3];
- sigs[0]= "pass tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
- sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
- sigs[2]= "alert tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
-
- uint32_t sid[3] = {1, 2, 3};
-
- uint32_t results[3][3] = {
- {0, 1, 1},
- {0, 1, 1},
- {0, 1, 1} };
- /* All the packets should match the 3 sigs. As drop
- * and alert have more priority than pass, both should
- * alert on each packet */
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto cleanup;
- de_ctx->flags |= DE_QUIET;
-
- if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
- goto cleanup;
-
- SCSigRegisterSignatureOrderingFuncs(de_ctx);
- SCSigOrderSignatures(de_ctx);
-
- res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
-
-cleanup:
- UTHFreePackets(p, 3);
-
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
- /* Restore default values */
- action_order_sigs[0] = ACTION_PASS;
- action_order_sigs[1] = ACTION_DROP;
- action_order_sigs[2] = ACTION_REJECT;
- action_order_sigs[3] = ACTION_ALERT;
-
-end:
- return res;
-}
-
/**
* \test Check that the expected defaults are loaded if the
* action-order configuration is not present.
*/
-static int UtilActionTest24(void)
+static int UtilActionTest08(void)
{
int res = 1;
char config[] = "%YAML 1.1\n"
UtRegisterTest("UtilActionTest06", UtilActionTest06);
UtRegisterTest("UtilActionTest07", UtilActionTest07);
UtRegisterTest("UtilActionTest08", UtilActionTest08);
- UtRegisterTest("UtilActionTest09", UtilActionTest09);
- UtRegisterTest("UtilActionTest10", UtilActionTest10);
- UtRegisterTest("UtilActionTest11", UtilActionTest11);
- UtRegisterTest("UtilActionTest12", UtilActionTest12);
- UtRegisterTest("UtilActionTest13", UtilActionTest13);
- UtRegisterTest("UtilActionTest14", UtilActionTest14);
- UtRegisterTest("UtilActionTest15", UtilActionTest15);
- UtRegisterTest("UtilActionTest16", UtilActionTest16);
- UtRegisterTest("UtilActionTest17", UtilActionTest17);
- UtRegisterTest("UtilActionTest18", UtilActionTest18);
- UtRegisterTest("UtilActionTest19", UtilActionTest19);
- UtRegisterTest("UtilActionTest20", UtilActionTest20);
- UtRegisterTest("UtilActionTest21", UtilActionTest21);
- UtRegisterTest("UtilActionTest22", UtilActionTest22);
- UtRegisterTest("UtilActionTest23", UtilActionTest23);
- UtRegisterTest("UtilActionTest24", UtilActionTest24);
}
#endif
projects / thirdparty / suricata.git / commitdiff
