1 /* Copyright (C) 2007-2017 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18 #ifdef UNITTESTS
19
20 #include "../app-layer-htp.h"
21 #include "../conf-yaml-loader.h"
22 #include "../detect-parse.h"
23 #include "../detect-engine-content-inspection.h"
24 #include "../pkt-var.h"
25 #include "../flow-util.h"
26 #include "../stream-tcp-reassemble.h"
27 #include "../util-unittest.h"
28 #include "../util-unittest-helper.h"
29
30 static const char *dummy_conf_string =
31 "%YAML 1.1\n"
32 "---\n"
33 "\n"
34 "default-log-dir: /var/log/suricata\n"
35 "\n"
36 "logging:\n"
37 "\n"
38 " default-log-level: debug\n"
39 "\n"
40 " default-format: \"<%t> - <%l>\"\n"
41 "\n"
42 " default-startup-message: Your IDS has started.\n"
43 "\n"
44 " default-output-filter:\n"
45 "\n"
46 " output:\n"
47 "\n"
48 " - interface: console\n"
49 " log-level: info\n"
50 "\n"
51 " - interface: file\n"
52 " filename: /var/log/suricata.log\n"
53 "\n"
54 " - interface: syslog\n"
55 " facility: local5\n"
56 " format: \"%l\"\n"
57 "\n"
58 "pfring:\n"
59 "\n"
60 " interface: eth0\n"
61 "\n"
62 " clusterid: 99\n"
63 "\n"
64 "vars:\n"
65 "\n"
66 " address-groups:\n"
67 "\n"
68 " HOME_NET: \"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:"
69 "13c5:5AFE::/64,2001:888:13c5:CAFE::/64]\"\n"
70 "\n"
71 " EXTERNAL_NET: \"[!192.168.0.0/16,2000::/3]\"\n"
72 "\n"
73 " HTTP_SERVERS: \"!192.168.0.0/16\"\n"
74 "\n"
75 " SMTP_SERVERS: \"!192.168.0.0/16\"\n"
76 "\n"
77 " SQL_SERVERS: \"!192.168.0.0/16\"\n"
78 "\n"
79 " DNS_SERVERS: any\n"
80 "\n"
81 " TELNET_SERVERS: any\n"
82 "\n"
83 " AIM_SERVERS: any\n"
84 "\n"
85 " port-groups:\n"
86 "\n"
87 " HTTP_PORTS: \"80:81,88\"\n"
88 "\n"
89 " SHELLCODE_PORTS: 80\n"
90 "\n"
91 " ORACLE_PORTS: 1521\n"
92 "\n"
93 " SSH_PORTS: 22\n"
94 "\n";
95
SigTest01(void)96 static int SigTest01 (void)
97 {
98 uint8_t *buf = (uint8_t *)
99 "GET /one/ HTTP/1.1\r\n"
100 "Host: one.example.org\r\n"
101 "\r\n\r\n"
102 "GET /two/ HTTP/1.1\r\n"
103 "Host: two.example.org\r\n"
104 "\r\n\r\n";
105 uint16_t buflen = strlen((char *)buf);
106 Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
107 int result = 0;
108
109 char sig[] = "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)";
110 if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
111 result = 0;
112 goto end;
113 }
114 #if 0
115 //printf("URI0 \"%s\", len %" PRIu32 "\n", p.http_uri.raw[0], p.http_uri.raw_size[0]);
116 //printf("URI1 \"%s\", len %" PRIu32 "\n", p.http_uri.raw[1], p.http_uri.raw_size[1]);
117
118 if (p->http_uri.raw_size[0] == 5 &&
119 memcmp(p->http_uri.raw[0], "/one/", 5) == 0 &&
120 p->http_uri.raw_size[1] == 5 &&
121 memcmp(p->http_uri.raw[1], "/two/", 5) == 0)
122 {
123 result = 1;
124 }
125
126 #endif
127 result = 1;
128 end:
129 if (p != NULL)
130 UTHFreePacket(p);
131 return result;
132 }
133
SigTest02(void)134 static int SigTest02 (void)
135 {
136 uint8_t *buf = (uint8_t *)
137 "GET /one/ HTTP/1.1\r\n"
138 "Host: one.example.org\r\n"
139 "\r\n\r\n"
140 "GET /two/ HTTP/1.1\r\n"
141 "Host: two.example.org\r\n"
142 "\r\n\r\n";
143 uint16_t buflen = strlen((char *)buf);
144 Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
145 char sig[] = "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:41; sid:1;)";
146 int ret = UTHPacketMatchSigMpm(p, sig, MPM_AC);
147 UTHFreePacket(p);
148 return ret;
149 }
150
SigTest03(void)151 static int SigTest03 (void)
152 {
153 uint8_t *buf = (uint8_t *)
154 "GET /one/ HTTP/1.1\r\n"
155 "Host: one.example.org\r\n"
156 "\r\n\r\n"
157 "GET /two/ HTTP/1.1\r\n"
158 "Host: two.example.org\r\n"
159 "\r\n\r\n";
160 uint16_t buflen = strlen((char *)buf);
161 Packet *p = NULL;
162 ThreadVars th_v;
163 DetectEngineThreadCtx *det_ctx = NULL;
164 int result = 0;
165
166 memset(&th_v, 0, sizeof(th_v));
167
168 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
169
170 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
171 if (de_ctx == NULL) {
172 goto end;
173 }
174
175 de_ctx->flags |= DE_QUIET;
176
177 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:39; sid:1;)");
178 if (de_ctx->sig_list == NULL) {
179 result = 0;
180 goto end;
181 }
182
183 SigGroupBuild(de_ctx);
184 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
185
186 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
187 if (PacketAlertCheck(p, 1))
188 result = 1;
189
190 SigGroupCleanup(de_ctx);
191 SigCleanSignatures(de_ctx);
192
193 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
194 DetectEngineCtxFree(de_ctx);
195 end:
196 UTHFreePackets(&p, 1);
197 return result;
198 }
199
SigTest04(void)200 static int SigTest04 (void)
201 {
202 uint8_t *buf = (uint8_t *)
203 "GET /one/ HTTP/1.1\r\n" /* 20*/
204 "Host: one.example.org\r\n" /* 23, post "Host:" 18 */
205 "\r\n\r\n" /* 4 */
206 "GET /two/ HTTP/1.1\r\n" /* 20 */
207 "Host: two.example.org\r\n" /* 23 */
208 "\r\n\r\n"; /* 4 */
209 uint16_t buflen = strlen((char *)buf);
210
211 Packet *p = NULL;
212 ThreadVars th_v;
213 DetectEngineThreadCtx *det_ctx = NULL;
214 int result = 0;
215
216 memset(&th_v, 0, sizeof(th_v));
217
218 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
219
220 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
221 if (de_ctx == NULL) {
222 goto end;
223 }
224
225 de_ctx->flags |= DE_QUIET;
226
227 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:42; within:47; sid:1;)");
228 if (de_ctx->sig_list == NULL) {
229 result = 0;
230 goto end;
231 }
232
233 SigGroupBuild(de_ctx);
234 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
235
236 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
237 if (PacketAlertCheck(p, 1))
238 result = 1;
239
240 SigGroupCleanup(de_ctx);
241 SigCleanSignatures(de_ctx);
242
243 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
244 DetectEngineCtxFree(de_ctx);
245 end:
246 UTHFreePackets(&p, 1);
247 return result;
248 }
249
SigTest05(void)250 static int SigTest05 (void)
251 {
252 uint8_t *buf = (uint8_t *)
253 "GET /one/ HTTP/1.1\r\n" /* 20 */
254 "Host: one.example.org\r\n" /* 23, 43 */
255 "\r\n\r\n" /* 4, 47 */
256 "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
257 "Host: two.example.org\r\n" /* 23, 90 */
258 "\r\n\r\n"; /* 4, 94 */
259 uint16_t buflen = strlen((char *)buf);
260 Packet *p = NULL;
261 ThreadVars th_v;
262 DetectEngineThreadCtx *det_ctx = NULL;
263 int result = 0;
264
265 memset(&th_v, 0, sizeof(th_v));
266
267 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
268
269 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
270 if (de_ctx == NULL) {
271 goto end;
272 }
273
274 de_ctx->flags |= DE_QUIET;
275
276 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:48; within:52; sid:1;)");
277 if (de_ctx->sig_list == NULL) {
278 printf("sig parse failed: ");
279 goto end;
280 }
281
282 SigGroupBuild(de_ctx);
283 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
284
285 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
286 if (!PacketAlertCheck(p, 1)) {
287 result = 1;
288 } else {
289 printf("sig matched but shouldn't have: ");
290 }
291
292 SigGroupCleanup(de_ctx);
293 SigCleanSignatures(de_ctx);
294
295 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
296 DetectEngineCtxFree(de_ctx);
297 end:
298 UTHFreePackets(&p, 1);
299 return result;
300 }
301
SigTest06(void)302 static int SigTest06 (void)
303 {
304 uint8_t *buf = (uint8_t *)
305 "GET /one/ HTTP/1.1\r\n" /* 20 */
306 "Host: one.example.org\r\n" /* 23, 43 */
307 "\r\n\r\n" /* 4, 47 */
308 "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
309 "Host: two.example.org\r\n" /* 23, 90 */
310 "\r\n\r\n"; /* 4, 94 */
311 uint16_t buflen = strlen((char *)buf);
312 Packet *p = NULL;
313 ThreadVars th_v;
314 DetectEngineThreadCtx *det_ctx = NULL;
315 Flow f;
316 TcpSession ssn;
317 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
318 FAIL_IF_NULL(alp_tctx);
319
320 memset(&th_v, 0, sizeof(th_v));
321 memset(&f, 0, sizeof(f));
322 memset(&ssn, 0, sizeof(ssn));
323
324 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
325 FAIL_IF_NULL(p);
326
327 FLOW_INITIALIZE(&f);
328 f.protoctx = (void *)&ssn;
329 f.flags |= FLOW_IPV4;
330 f.proto = IPPROTO_TCP;
331 p->flow = &f;
332 p->flowflags |= FLOW_PKT_TOSERVER;
333 p->flowflags |= FLOW_PKT_ESTABLISHED;
334 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
335 f.alproto = ALPROTO_HTTP;
336
337 StreamTcpInitConfig(TRUE);
338
339 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
340 FAIL_IF_NULL(de_ctx);
341 de_ctx->flags |= DE_QUIET;
342
343 Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
344 FAIL_IF_NULL(s);
345
346 s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
347 FAIL_IF_NULL(s);
348
349 SigGroupBuild(de_ctx);
350 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
351 FAIL_IF_NULL(det_ctx);
352
353 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
354 STREAM_TOSERVER, buf, buflen);
355 FAIL_IF(r != 0);
356
357 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
358 FAIL_IF_NOT(PacketAlertCheck(p, 1));
359 FAIL_IF_NOT(PacketAlertCheck(p, 2));
360
361 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
362 DetectEngineCtxFree(de_ctx);
363 AppLayerParserThreadCtxFree(alp_tctx);
364 UTHFreePackets(&p, 1);
365 StreamTcpFreeConfig(TRUE);
366 FLOW_DESTROY(&f);
367 PASS;
368 }
369
SigTest07(void)370 static int SigTest07 (void)
371 {
372 uint8_t *buf = (uint8_t *)
373 "GET /one/ HTTP/1.1\r\n" /* 20 */
374 "Host: one.example.org\r\n" /* 23, 43 */
375 "\r\n\r\n" /* 4, 47 */
376 "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
377 "Host: two.example.org\r\n" /* 23, 90 */
378 "\r\n\r\n"; /* 4, 94 */
379 uint16_t buflen = strlen((char *)buf);
380 Packet *p = NULL;
381 ThreadVars th_v;
382 DetectEngineThreadCtx *det_ctx = NULL;
383 Flow f;
384 TcpSession ssn;
385 int result = 0;
386 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
387
388 memset(&th_v, 0, sizeof(th_v));
389 memset(&f, 0, sizeof(f));
390 memset(&ssn, 0, sizeof(ssn));
391
392 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
393
394 FLOW_INITIALIZE(&f);
395 f.protoctx = (void *)&ssn;
396 f.flags |= FLOW_IPV4;
397 f.proto = IPPROTO_TCP;
398 p->flow = &f;
399 p->flowflags |= FLOW_PKT_TOSERVER;
400 p->flowflags |= FLOW_PKT_ESTABLISHED;
401 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
402 f.alproto = ALPROTO_HTTP;
403
404 StreamTcpInitConfig(TRUE);
405
406 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
407 if (de_ctx == NULL) {
408 goto end;
409 }
410
411 de_ctx->flags |= DE_QUIET;
412
413 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
414 if (de_ctx->sig_list == NULL) {
415 result = 0;
416 goto end;
417 }
418 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"three\"; sid:2;)");
419 if (de_ctx->sig_list->next == NULL) {
420 result = 0;
421 goto end;
422 }
423
424 SigGroupBuild(de_ctx);
425 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
426
427 FLOWLOCK_WRLOCK(&f);
428 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
429 STREAM_TOSERVER, buf, buflen);
430 if (r != 0) {
431 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
432 result = 0;
433 FLOWLOCK_UNLOCK(&f);
434 goto end;
435 }
436 FLOWLOCK_UNLOCK(&f);
437
438 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
439 if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
440 result = 0;
441 else
442 result = 1;
443
444 end:
445 if (alp_tctx != NULL)
446 AppLayerParserThreadCtxFree(alp_tctx);
447 UTHFreePackets(&p, 1);
448 StreamTcpFreeConfig(TRUE);
449 FlowCleanupAppLayer(&f);
450 FLOW_DESTROY(&f);
451 SigGroupCleanup(de_ctx);
452 SigCleanSignatures(de_ctx);
453
454 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
455 DetectEngineCtxFree(de_ctx);
456
457 return result;
458 }
459
SigTest08(void)460 static int SigTest08 (void)
461 {
462 uint8_t *buf = (uint8_t *)
463 "GET /one/ HTTP/1.0\r\n" /* 20 */
464 "Host: one.example.org\r\n" /* 23, 43 */
465 "\r\n\r\n" /* 4, 47 */
466 "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
467 "Host: two.example.org\r\n" /* 23, 90 */
468 "\r\n\r\n"; /* 4, 94 */
469 uint16_t buflen = strlen((char *)buf);
470 Packet *p = NULL;
471 ThreadVars th_v;
472 DetectEngineThreadCtx *det_ctx = NULL;
473 Flow f;
474 TcpSession ssn;
475 int result = 0;
476 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
477
478 memset(&f, 0, sizeof(Flow));
479 memset(&th_v, 0, sizeof(th_v));
480 memset(&ssn, 0, sizeof(ssn));
481
482 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
483
484 FLOW_INITIALIZE(&f);
485 f.protoctx = (void *)&ssn;
486 f.flags |= FLOW_IPV4;
487 f.proto = IPPROTO_TCP;
488 p->flow = &f;
489 p->flowflags |= FLOW_PKT_TOSERVER;
490 p->flowflags |= FLOW_PKT_ESTABLISHED;
491 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
492 f.alproto = ALPROTO_HTTP;
493
494 StreamTcpInitConfig(TRUE);
495
496 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
497 if (de_ctx == NULL) {
498 goto end;
499 }
500
501 de_ctx->flags |= DE_QUIET;
502
503 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
504 if (de_ctx->sig_list == NULL) {
505 result = 0;
506 goto end;
507 }
508 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"one\"; sid:2;)");
509 if (de_ctx->sig_list->next == NULL) {
510 result = 0;
511 goto end;
512 }
513
514 SigGroupBuild(de_ctx);
515 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
516
517 FLOWLOCK_WRLOCK(&f);
518 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
519 STREAM_TOSERVER, buf, buflen);
520 if (r != 0) {
521 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
522 result = 0;
523 FLOWLOCK_UNLOCK(&f);
524 goto end;
525 }
526 FLOWLOCK_UNLOCK(&f);
527
528 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
529 if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
530 result = 1;
531 else
532 printf("sid:1 %s, sid:2 %s: ",
533 PacketAlertCheck(p, 1) ? "OK" : "FAIL",
534 PacketAlertCheck(p, 2) ? "OK" : "FAIL");
535
536 end:
537 FlowCleanupAppLayer(&f);
538 SigGroupCleanup(de_ctx);
539 SigCleanSignatures(de_ctx);
540
541 if (det_ctx)
542 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
543 DetectEngineCtxFree(de_ctx);
544 if (alp_tctx != NULL)
545 AppLayerParserThreadCtxFree(alp_tctx);
546 UTHFreePackets(&p, 1);
547 StreamTcpFreeConfig(TRUE);
548 FLOW_DESTROY(&f);
549 return result;
550 }
551
SigTest09(void)552 static int SigTest09 (void)
553 {
554 uint8_t *buf = (uint8_t *)
555 "GET /one/ HTTP/1.0\r\n" /* 20 */
556 "Host: one.example.org\r\n" /* 23, 43 */
557 "\r\n\r\n" /* 4, 47 */
558 "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
559 "Host: two.example.org\r\n" /* 23, 90 */
560 "\r\n\r\n"; /* 4, 94 */
561 uint16_t buflen = strlen((char *)buf);
562 Packet *p = NULL;
563 ThreadVars th_v;
564 DetectEngineThreadCtx *det_ctx = NULL;
565 Flow f;
566 TcpSession ssn;
567 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
568 int result = 0;
569
570 memset(&th_v, 0, sizeof(th_v));
571 memset(&f, 0, sizeof(f));
572 memset(&ssn, 0, sizeof(ssn));
573
574 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
575
576 FLOW_INITIALIZE(&f);
577 f.protoctx = (void *)&ssn;
578 f.flags |= FLOW_IPV4;
579 f.proto = IPPROTO_TCP;
580 p->flow = &f;
581 p->flowflags |= FLOW_PKT_TOSERVER;
582 p->flowflags |= FLOW_PKT_ESTABLISHED;
583 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
584 f.alproto = ALPROTO_HTTP;
585
586 StreamTcpInitConfig(TRUE);
587
588 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
589 if (de_ctx == NULL) {
590 goto end;
591 }
592
593 de_ctx->flags |= DE_QUIET;
594
595 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
596 if (de_ctx->sig_list == NULL) {
597 result = 0;
598 goto end;
599 }
600 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
601 if (de_ctx->sig_list->next == NULL) {
602 result = 0;
603 goto end;
604 }
605
606 SigGroupBuild(de_ctx);
607 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
608
609 FLOWLOCK_WRLOCK(&f);
610 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
611 STREAM_TOSERVER, buf, buflen);
612 if (r != 0) {
613 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
614 result = 0;
615 FLOWLOCK_UNLOCK(&f);
616 goto end;
617 }
618 FLOWLOCK_UNLOCK(&f);
619
620 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
621 if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
622 result = 1;
623 else
624 result = 0;
625
626 end:
627 FlowCleanupAppLayer(&f);
628 SigGroupCleanup(de_ctx);
629 SigCleanSignatures(de_ctx);
630 if (det_ctx)
631 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
632 DetectEngineCtxFree(de_ctx);
633 if (alp_tctx != NULL)
634 AppLayerParserThreadCtxFree(alp_tctx);
635 UTHFreePackets(&p, 1);
636 StreamTcpFreeConfig(TRUE);
637 FLOW_DESTROY(&f);
638 return result;
639 }
640
SigTest10(void)641 static int SigTest10 (void)
642 {
643 uint8_t *buf = (uint8_t *)
644 "ABC";
645 uint16_t buflen = strlen((char *)buf);
646 Packet *p = NULL;
647 ThreadVars th_v;
648 DetectEngineThreadCtx *det_ctx = NULL;
649 Flow f;
650 TcpSession ssn;
651 int result = 0;
652 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
653
654 memset(&th_v, 0, sizeof(th_v));
655 memset(&f, 0, sizeof(f));
656 memset(&ssn, 0, sizeof(ssn));
657
658 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
659
660 FLOW_INITIALIZE(&f);
661 f.protoctx = (void *)&ssn;
662 f.proto = IPPROTO_TCP;
663 f.flags |= FLOW_IPV4;
664 p->flow = &f;
665 p->flowflags |= FLOW_PKT_TOSERVER;
666 p->flowflags |= FLOW_PKT_ESTABLISHED;
667 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
668 f.alproto = ALPROTO_HTTP;
669
670 StreamTcpInitConfig(TRUE);
671
672 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
673 if (de_ctx == NULL) {
674 goto end;
675 }
676
677 de_ctx->flags |= DE_QUIET;
678
679 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (1)\"; content:\"ABCD\"; depth:4; sid:1;)");
680 if (de_ctx->sig_list == NULL) {
681 result = 0;
682 goto end;
683 }
684 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (2)\"; content:\"VWXYZ\"; sid:2;)");
685 if (de_ctx->sig_list->next == NULL) {
686 result = 0;
687 goto end;
688 }
689
690 SigGroupBuild(de_ctx);
691 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
692
693 FLOWLOCK_WRLOCK(&f);
694 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
695 STREAM_TOSERVER, buf, buflen);
696 if (r != 0) {
697 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
698 result = 0;
699 FLOWLOCK_UNLOCK(&f);
700 goto end;
701 }
702 FLOWLOCK_UNLOCK(&f);
703
704 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
705 if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
706 result = 0;
707 else
708 result = 1;
709
710 end:
711 FlowCleanupAppLayer(&f);
712 SigGroupCleanup(de_ctx);
713 SigCleanSignatures(de_ctx);
714 if (det_ctx)
715 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
716 DetectEngineCtxFree(de_ctx);
717 if (alp_tctx != NULL)
718 AppLayerParserThreadCtxFree(alp_tctx);
719 UTHFreePackets(&p, 1);
720 StreamTcpFreeConfig(TRUE);
721 FLOW_DESTROY(&f);
722 return result;
723 }
724
SigTest11(void)725 static int SigTest11 (void)
726 {
727 uint8_t *buf = (uint8_t *)
728 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
729 uint16_t buflen = strlen((char *)buf);
730 Packet *p = NULL;
731 ThreadVars th_v;
732 DetectEngineThreadCtx *det_ctx = NULL;
733 Flow f;
734 TcpSession ssn;
735 int result = 0;
736
737 memset(&th_v, 0, sizeof(th_v));
738 memset(&f, 0, sizeof(f));
739 memset(&ssn, 0, sizeof(ssn));
740
741 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
742
743 FLOW_INITIALIZE(&f);
744 f.protoctx = (void *)&ssn;
745 f.proto = IPPROTO_TCP;
746 f.flags |= FLOW_IPV4;
747 p->flow = &f;
748 p->flowflags |= FLOW_PKT_TOSERVER;
749 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
750 f.alproto = ALPROTO_HTTP;
751
752 StreamTcpInitConfig(TRUE);
753
754 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
755 if (de_ctx == NULL) {
756 goto end;
757 }
758
759 de_ctx->flags |= DE_QUIET;
760
761 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
762 if (de_ctx->sig_list == NULL) {
763 goto end;
764 }
765 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (content:\"VWXYZabcde\"; content:\"5678\"; content:\"89\"; sid:2;)");
766 if (de_ctx->sig_list->next == NULL) {
767 goto end;
768 }
769
770 SigGroupBuild(de_ctx);
771 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
772
773 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
774 if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
775 result = 1;
776
777 end:
778 FlowCleanupAppLayer(&f);
779 SigGroupCleanup(de_ctx);
780 if (det_ctx)
781 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
782 DetectEngineCtxFree(de_ctx);
783 UTHFreePackets(&p, 1);
784 StreamTcpFreeConfig(TRUE);
785 FLOW_DESTROY(&f);
786 return result;
787 }
788
SigTest12(void)789 static int SigTest12 (void)
790 {
791 uint8_t *buf = (uint8_t *)
792 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
793 uint16_t buflen = strlen((char *)buf);
794 Packet *p = NULL;
795 ThreadVars th_v;
796 DetectEngineThreadCtx *det_ctx = NULL;
797 int result = 0;
798
799 memset(&th_v, 0, sizeof(th_v));
800 Flow f;
801 memset(&f, 0, sizeof(Flow));
802
803 FLOW_INITIALIZE(&f);
804
805 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
806 p->flow = &f;
807 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
808
809 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
810 if (de_ctx == NULL) {
811 goto end;
812 }
813
814 de_ctx->flags |= DE_QUIET;
815
816 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
817 if (de_ctx->sig_list == NULL) {
818 result = 0;
819 goto end;
820 }
821
822 SigGroupBuild(de_ctx);
823 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
824
825 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
826 if (PacketAlertCheck(p, 1))
827 result = 1;
828 else
829 result = 0;
830
831 if (det_ctx != NULL)
832 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
833 end:
834 UTHFreePackets(&p, 1);
835 if (de_ctx != NULL) {
836 SigGroupCleanup(de_ctx);
837 SigCleanSignatures(de_ctx);
838 DetectEngineCtxFree(de_ctx);
839 }
840 FLOW_DESTROY(&f);
841 return result;
842 }
843
SigTest13(void)844 static int SigTest13 (void)
845 {
846 uint8_t *buf = (uint8_t *)
847 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
848 uint16_t buflen = strlen((char *)buf);
849 Packet *p = NULL;
850 ThreadVars th_v;
851 DetectEngineThreadCtx *det_ctx = NULL;
852 int result = 0;
853
854 memset(&th_v, 0, sizeof(th_v));
855 Flow f;
856 memset(&f, 0, sizeof(Flow));
857
858 FLOW_INITIALIZE(&f);
859
860 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
861 p->flow = &f;
862 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
863
864 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
865 if (de_ctx == NULL) {
866 goto end;
867 }
868
869 de_ctx->flags |= DE_QUIET;
870
871 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; sid:1;)");
872 if (de_ctx->sig_list == NULL) {
873 result = 0;
874 goto end;
875 }
876
877 SigGroupBuild(de_ctx);
878 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
879
880 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
881 if (PacketAlertCheck(p, 1))
882 result = 1;
883 else
884 result = 0;
885
886 SigGroupCleanup(de_ctx);
887 SigCleanSignatures(de_ctx);
888 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
889 DetectEngineCtxFree(de_ctx);
890 end:
891 UTHFreePackets(&p, 1);
892 FLOW_DESTROY(&f);
893 return result;
894 }
895
SigTest14(void)896 static int SigTest14 (void)
897 {
898 uint8_t *buf = (uint8_t *)
899 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
900 uint16_t buflen = strlen((char *)buf);
901 Packet *p = NULL;
902 ThreadVars th_v;
903 DetectEngineThreadCtx *det_ctx = NULL;
904 int result = 0;
905
906 memset(&th_v, 0, sizeof(th_v));
907
908 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
909
910 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
911 if (de_ctx == NULL) {
912 goto end;
913 }
914
915 de_ctx->flags |= DE_QUIET;
916
917 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; distance:0; sid:1;)");
918 if (de_ctx->sig_list == NULL) {
919 result = 0;
920 goto end;
921 }
922
923 SigGroupBuild(de_ctx);
924 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
925
926 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
927 if (PacketAlertCheck(p, 1))
928 result = 0;
929 else
930 result = 1;
931
932 SigGroupCleanup(de_ctx);
933 SigCleanSignatures(de_ctx);
934 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
935 DetectEngineCtxFree(de_ctx);
936 end:
937 UTHFreePackets(&p, 1);
938 return result;
939 }
940
SigTest15(void)941 static int SigTest15 (void)
942 {
943 uint8_t *buf = (uint8_t *)
944 "CONNECT 213.92.8.7:31204 HTTP/1.1";
945 uint16_t buflen = strlen((char *)buf);
946 Packet *p = SCMalloc(SIZE_OF_PACKET);
947 if (unlikely(p == NULL))
948 return 0;
949 ThreadVars th_v;
950 DetectEngineThreadCtx *det_ctx = NULL;
951 int result = 0;
952
953 memset(&th_v, 0, sizeof(th_v));
954 memset(p, 0, SIZE_OF_PACKET);
955 p->src.family = AF_INET;
956 p->dst.family = AF_INET;
957 p->payload = buf;
958 p->payload_len = buflen;
959 p->proto = IPPROTO_TCP;
960 p->dp = 80;
961
962 ConfCreateContextBackup();
963 ConfInit();
964 ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
965
966 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
967 if (de_ctx == NULL) {
968 goto end;
969 }
970
971 de_ctx->flags |= DE_QUIET;
972
973 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
974 if (de_ctx->sig_list == NULL) {
975 result = 0;
976 goto end;
977 }
978
979 SigGroupBuild(de_ctx);
980 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
981
982 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
983 if (PacketAlertCheck(p, 2008284))
984 result = 0;
985 else
986 result = 1;
987
988 SigGroupCleanup(de_ctx);
989 SigCleanSignatures(de_ctx);
990 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
991 DetectEngineCtxFree(de_ctx);
992 end:
993 ConfDeInit();
994 ConfRestoreContextBackup();
995 SCFree(p);
996 return result;
997 }
998
SigTest16(void)999 static int SigTest16 (void)
1000 {
1001 uint8_t *buf = (uint8_t *)
1002 "CONNECT 213.92.8.7:31204 HTTP/1.1";
1003 uint16_t buflen = strlen((char *)buf);
1004 Packet *p = NULL;
1005 ThreadVars th_v;
1006 DetectEngineThreadCtx *det_ctx = NULL;
1007 int result = 0;
1008
1009 memset(&th_v, 0, sizeof(th_v));
1010 memset(&p, 0, sizeof(p));
1011
1012 p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 1234);
1013
1014 ConfCreateContextBackup();
1015 ConfInit();
1016 ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1017
1018 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1019 if (de_ctx == NULL) {
1020 goto end;
1021 }
1022
1023 de_ctx->flags |= DE_QUIET;
1024
1025 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
1026 if (de_ctx->sig_list == NULL) {
1027 goto end;
1028 }
1029
1030 SigGroupBuild(de_ctx);
1031 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1032
1033 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1034 if (PacketAlertCheck(p, 2008284))
1035 result = 1;
1036 else
1037 printf("sid:2008284 %s: ", PacketAlertCheck(p, 2008284) ? "OK" : "FAIL");
1038
1039 SigGroupCleanup(de_ctx);
1040 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1041 DetectEngineCtxFree(de_ctx);
1042 end:
1043 ConfDeInit();
1044 ConfRestoreContextBackup();
1045 UTHFreePackets(&p, 1);
1046 return result;
1047 }
1048
SigTest17(void)1049 static int SigTest17 (void)
1050 {
1051 uint8_t *buf = (uint8_t *)
1052 "GET /one/ HTTP/1.1\r\n" /* 20 */
1053 "Host: one.example.org\r\n" /* 23, 43 */
1054 "\r\n\r\n" /* 4, 47 */
1055 "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
1056 "Host: two.example.org\r\n" /* 23, 90 */
1057 "\r\n\r\n"; /* 4, 94 */
1058 uint16_t buflen = strlen((char *)buf);
1059 Packet *p = NULL;
1060 ThreadVars th_v;
1061 DetectEngineThreadCtx *det_ctx = NULL;
1062 memset(&th_v, 0, sizeof(th_v));
1063
1064 p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 80);
1065 FAIL_IF_NULL(p);
1066
1067 ConfCreateContextBackup();
1068 ConfInit();
1069 ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1070
1071 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1072 FAIL_IF_NULL(de_ctx);
1073 de_ctx->flags |= DE_QUIET;
1074
1075 Signature *s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:1;)");
1076 FAIL_IF_NULL(s);
1077
1078 SigGroupBuild(de_ctx);
1079 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1080 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1081
1082 uint32_t capid = VarNameStoreLookupByName("http_host", VAR_TYPE_PKT_VAR);
1083
1084 PktVar *pv_hn = PktVarGet(p, capid);
1085 FAIL_IF_NULL(pv_hn);
1086
1087 FAIL_IF(pv_hn->value_len != 15);
1088 FAIL_IF_NOT(memcmp(pv_hn->value, "one.example.org", pv_hn->value_len) == 0);
1089
1090 PktVarFree(pv_hn);
1091 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1092 DetectEngineCtxFree(de_ctx);
1093 ConfDeInit();
1094 ConfRestoreContextBackup();
1095 UTHFreePackets(&p, 1);
1096
1097 PASS;
1098 }
1099
SigTest18(void)1100 static int SigTest18 (void)
1101 {
1102 uint8_t *buf = (uint8_t *)
1103 "220 (vsFTPd 2.0.5)\r\n";
1104 uint16_t buflen = strlen((char *)buf);
1105 Packet *p = SCMalloc(SIZE_OF_PACKET);
1106 if (unlikely(p == NULL))
1107 return 0;
1108 ThreadVars th_v;
1109 DetectEngineThreadCtx *det_ctx = NULL;
1110 int result = 0;
1111
1112 memset(&th_v, 0, sizeof(th_v));
1113 memset(p, 0, SIZE_OF_PACKET);
1114 p->src.family = AF_INET;
1115 p->dst.family = AF_INET;
1116 p->payload = buf;
1117 p->payload_len = buflen;
1118 p->proto = IPPROTO_TCP;
1119 p->dp = 34260;
1120 p->sp = 21;
1121
1122 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1123 if (de_ctx == NULL) {
1124 goto end;
1125 }
1126
1127 de_ctx->flags |= DE_QUIET;
1128
1129 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
1130 if (de_ctx->sig_list == NULL) {
1131 result = 0;
1132 goto end;
1133 }
1134
1135 SigGroupBuild(de_ctx);
1136 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1137
1138 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1139 if (!PacketAlertCheck(p, 2003055))
1140 result = 1;
1141 else
1142 printf("signature shouldn't match, but did: ");
1143
1144 SigGroupCleanup(de_ctx);
1145 SigCleanSignatures(de_ctx);
1146 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1147 DetectEngineCtxFree(de_ctx);
1148 end:
1149 SCFree(p);
1150 return result;
1151 }
1152
SigTest19(void)1153 static int SigTest19 (void)
1154 {
1155 uint8_t *buf = (uint8_t *)
1156 "220 (vsFTPd 2.0.5)\r\n";
1157 uint16_t buflen = strlen((char *)buf);
1158 Packet *p = SCMalloc(SIZE_OF_PACKET);
1159 if (unlikely(p == NULL))
1160 return 0;
1161 ThreadVars th_v;
1162 DetectEngineThreadCtx *det_ctx = NULL;
1163 int result = 0;
1164
1165 memset(&th_v, 0, sizeof(th_v));
1166 memset(p, 0, SIZE_OF_PACKET);
1167 p->src.family = AF_INET;
1168 p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1169 p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1170 p->dst.family = AF_INET;
1171 p->payload = buf;
1172 p->payload_len = buflen;
1173 p->proto = IPPROTO_TCP;
1174 p->dp = 34260;
1175 p->sp = 21;
1176 p->flowflags |= FLOW_PKT_TOSERVER;
1177
1178 ConfCreateContextBackup();
1179 ConfInit();
1180 ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1181
1182 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1183 if (de_ctx == NULL) {
1184 goto end;
1185 }
1186
1187 de_ctx->flags |= DE_QUIET;
1188
1189 de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> 1.2.3.4 any (msg:\"IP-ONLY test (1)\"; sid:999; rev:1;)");
1190 if (de_ctx->sig_list == NULL) {
1191 result = 0;
1192 goto end;
1193 }
1194
1195 SigGroupBuild(de_ctx);
1196 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1197
1198 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1199 if (PacketAlertCheck(p, 999))
1200 result = 1;
1201 else
1202 printf("signature didn't match, but should have: ");
1203
1204 SigGroupCleanup(de_ctx);
1205 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1206 DetectEngineCtxFree(de_ctx);
1207 end:
1208 ConfDeInit();
1209 ConfRestoreContextBackup();
1210 SCFree(p);
1211 return result;
1212 }
1213
SigTest20(void)1214 static int SigTest20 (void)
1215 {
1216 uint8_t *buf = (uint8_t *)
1217 "220 (vsFTPd 2.0.5)\r\n";
1218 uint16_t buflen = strlen((char *)buf);
1219 Packet *p = SCMalloc(SIZE_OF_PACKET);
1220 if (unlikely(p == NULL))
1221 return 0;
1222 ThreadVars th_v;
1223 DetectEngineThreadCtx *det_ctx = NULL;
1224 int result = 0;
1225
1226 memset(&th_v, 0, sizeof(th_v));
1227 memset(p, 0, SIZE_OF_PACKET);
1228 p->src.family = AF_INET;
1229 p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1230 p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1231 p->dst.family = AF_INET;
1232 p->payload = buf;
1233 p->payload_len = buflen;
1234 p->proto = IPPROTO_TCP;
1235 p->dp = 34260;
1236 p->sp = 21;
1237 p->flowflags |= FLOW_PKT_TOSERVER;
1238
1239 ConfCreateContextBackup();
1240 ConfInit();
1241 ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1242
1243 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1244 if (de_ctx == NULL) {
1245 goto end;
1246 }
1247
1248 de_ctx->flags |= DE_QUIET;
1249
1250 de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> [99.99.99.99,1.2.3.0/24,1.1.1.1,3.0.0.0/8] any (msg:\"IP-ONLY test (2)\"; sid:999; rev:1;)");
1251 if (de_ctx->sig_list == NULL) {
1252 result = 0;
1253 goto end;
1254 }
1255
1256 SigGroupBuild(de_ctx);
1257 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1258
1259 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1260 if (PacketAlertCheck(p, 999))
1261 result = 1;
1262 else
1263 printf("signature didn't match, but should have: ");
1264
1265 SigGroupCleanup(de_ctx);
1266 SigCleanSignatures(de_ctx);
1267 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1268 DetectEngineCtxFree(de_ctx);
1269 end:
1270 ConfDeInit();
1271 ConfRestoreContextBackup();
1272 SCFree(p);
1273 return result;
1274 }
1275
SigTest21(void)1276 static int SigTest21 (void)
1277 {
1278 ThreadVars th_v;
1279 memset(&th_v, 0, sizeof(th_v));
1280 DetectEngineThreadCtx *det_ctx = NULL;
1281 int result = 0;
1282
1283 Flow f;
1284 memset(&f, 0, sizeof(f));
1285 FLOW_INITIALIZE(&f);
1286
1287 /* packet 1 */
1288 uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1289 "\r\n\r\n";
1290 uint16_t buf1len = strlen((char *)buf1);
1291 Packet *p1 = NULL;
1292 /* packet 2 */
1293 uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1294 "\r\n\r\n";
1295 uint16_t buf2len = strlen((char *)buf2);
1296 Packet *p2 = NULL;
1297
1298 p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1299 p1->flow = &f;
1300 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1301 p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1302 p2->flow = &f;
1303 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1304
1305 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1306 if (de_ctx == NULL) {
1307 goto end;
1308 }
1309
1310 de_ctx->flags |= DE_QUIET;
1311
1312 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1313 if (de_ctx->sig_list == NULL) {
1314 result = 0;
1315 goto end;
1316 }
1317 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1318 if (de_ctx->sig_list == NULL) {
1319 result = 0;
1320 goto end;
1321 }
1322
1323 SigGroupBuild(de_ctx);
1324 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1325
1326 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1327 if (PacketAlertCheck(p1, 1)) {
1328 printf("sid 1 alerted, but shouldn't: ");
1329 goto end;
1330 }
1331 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1332 if (!(PacketAlertCheck(p2, 2))) {
1333 printf("sid 2 didn't alert, but should have: ");
1334 goto end;
1335 }
1336
1337 result = 1;
1338 end:
1339 if (de_ctx != NULL) {
1340 SigGroupCleanup(de_ctx);
1341 SigCleanSignatures(de_ctx);
1342
1343 if (det_ctx != NULL) {
1344 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1345 }
1346 }
1347 DetectEngineCtxFree(de_ctx);
1348 UTHFreePackets(&p1, 1);
1349 UTHFreePackets(&p2, 1);
1350 FLOW_DESTROY(&f);
1351 return result;
1352 }
1353
SigTest22(void)1354 static int SigTest22 (void)
1355 {
1356 ThreadVars th_v;
1357 memset(&th_v, 0, sizeof(th_v));
1358 DetectEngineThreadCtx *det_ctx = NULL;
1359 int result = 0;
1360
1361 Flow f;
1362 memset(&f, 0, sizeof(f));
1363 FLOW_INITIALIZE(&f);
1364
1365 /* packet 1 */
1366 uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1367 "\r\n\r\n";
1368 uint16_t buf1len = strlen((char *)buf1);
1369 Packet *p1 = NULL;
1370
1371 p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1372 p1->flow = &f;
1373 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1374
1375 /* packet 2 */
1376 uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1377 "\r\n\r\n";
1378 uint16_t buf2len = strlen((char *)buf2);
1379 Packet *p2 = NULL;
1380
1381 p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1382 p2->flow = &f;
1383 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1384
1385 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1386 if (de_ctx == NULL) {
1387 goto end;
1388 }
1389
1390 de_ctx->flags |= DE_QUIET;
1391
1392 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1393 if (de_ctx->sig_list == NULL) {
1394 result = 0;
1395 goto end;
1396 }
1397 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.abc; sid:2;)");
1398 if (de_ctx->sig_list == NULL) {
1399 result = 0;
1400 goto end;
1401 }
1402
1403 SigGroupBuild(de_ctx);
1404 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1405
1406 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1407 if (PacketAlertCheck(p1, 1)) {
1408 printf("sid 1 alerted, but shouldn't: ");
1409 goto end;
1410 }
1411 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1412 if (!(PacketAlertCheck(p2, 2)))
1413 result = 1;
1414 else
1415 printf("sid 2 alerted, but shouldn't: ");
1416
1417 SigGroupCleanup(de_ctx);
1418 SigCleanSignatures(de_ctx);
1419
1420 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1421 DetectEngineCtxFree(de_ctx);
1422 end:
1423 UTHFreePackets(&p1, 1);
1424 UTHFreePackets(&p2, 1);
1425 FLOW_DESTROY(&f);
1426 return result;
1427 }
1428
SigTest23(void)1429 static int SigTest23 (void)
1430 {
1431 ThreadVars th_v;
1432 memset(&th_v, 0, sizeof(th_v));
1433 DetectEngineThreadCtx *det_ctx = NULL;
1434 int result = 0;
1435
1436 Flow f;
1437 memset(&f, 0, sizeof(f));
1438 FLOW_INITIALIZE(&f);
1439
1440 /* packet 1 */
1441 uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1442 "\r\n\r\n";
1443 uint16_t buf1len = strlen((char *)buf1);
1444 Packet *p1 = NULL;
1445
1446 p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1447 p1->flow = &f;
1448 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1449
1450 /* packet 2 */
1451 uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1452 "\r\n\r\n";
1453 uint16_t buf2len = strlen((char *)buf2);
1454 Packet *p2 = NULL;
1455
1456 p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1457 p2->flow = &f;
1458 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1459
1460 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1461 if (de_ctx == NULL) {
1462 goto end;
1463 }
1464
1465 de_ctx->flags |= DE_QUIET;
1466
1467 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:toggle,TEST.one; flowbits:noalert; sid:1;)");
1468 if (de_ctx->sig_list == NULL) {
1469 result = 0;
1470 goto end;
1471 }
1472 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1473 if (de_ctx->sig_list == NULL) {
1474 result = 0;
1475 goto end;
1476 }
1477
1478 SigGroupBuild(de_ctx);
1479 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1480
1481 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1482 if (PacketAlertCheck(p1, 1)) {
1483 printf("sid 1 alerted, but shouldn't: ");
1484 goto end;
1485 }
1486 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1487 if (PacketAlertCheck(p2, 2))
1488 result = 1;
1489 else
1490 printf("sid 2 didn't alert, but should have: ");
1491
1492 SigGroupCleanup(de_ctx);
1493 SigCleanSignatures(de_ctx);
1494
1495 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1496 DetectEngineCtxFree(de_ctx);
1497 end:
1498 UTHFreePackets(&p1, 1);
1499 UTHFreePackets(&p2, 1);
1500 FLOW_DESTROY(&f);
1501 return result;
1502 }
1503
SigTest24IPV4Keyword(void)1504 static int SigTest24IPV4Keyword(void)
1505 {
1506 uint8_t valid_raw_ipv4[] = {
1507 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1508 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1509 0xc0, 0xa8, 0x01, 0x03};
1510
1511 uint8_t invalid_raw_ipv4[] = {
1512 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1513 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1514 0xc0, 0xa8, 0x01, 0x06};
1515
1516 Packet *p1 = SCMalloc(SIZE_OF_PACKET);
1517 if (unlikely(p1 == NULL))
1518 return 0;
1519 Packet *p2 = SCMalloc(SIZE_OF_PACKET);
1520 if (unlikely(p2 == NULL)) {
1521 SCFree(p1);
1522 return 0;
1523 }
1524 ThreadVars th_v;
1525 DetectEngineThreadCtx *det_ctx = NULL;
1526 int result = 0;
1527
1528 uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1529 "\r\n\r\n";
1530 uint16_t buflen = strlen((char *)buf);
1531
1532 memset(&th_v, 0, sizeof(ThreadVars));
1533 memset(p1, 0, SIZE_OF_PACKET);
1534 memset(p2, 0, SIZE_OF_PACKET);
1535 PACKET_RESET_CHECKSUMS(p1);
1536 PACKET_RESET_CHECKSUMS(p2);
1537
1538 p1->ip4h = (IPV4Hdr *)valid_raw_ipv4;
1539
1540 p1->src.family = AF_INET;
1541 p1->dst.family = AF_INET;
1542 p1->payload = buf;
1543 p1->payload_len = buflen;
1544 p1->proto = IPPROTO_TCP;
1545
1546 p2->ip4h = (IPV4Hdr *)invalid_raw_ipv4;
1547
1548 p2->src.family = AF_INET;
1549 p2->dst.family = AF_INET;
1550 p2->payload = buf;
1551 p2->payload_len = buflen;
1552 p2->proto = IPPROTO_TCP;
1553
1554 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1555 if (de_ctx == NULL) {
1556 goto end;
1557 }
1558
1559 de_ctx->flags |= DE_QUIET;
1560
1561 de_ctx->sig_list = SigInit(de_ctx,
1562 "alert ip any any -> any any "
1563 "(content:\"/one/\"; ipv4-csum:valid; "
1564 "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1565 if (de_ctx->sig_list == NULL) {
1566 printf("sig 1 parse: ");
1567 goto end;
1568 }
1569
1570 de_ctx->sig_list->next = SigInit(de_ctx,
1571 "alert ip any any -> any any "
1572 "(content:\"/one/\"; ipv4-csum:invalid; "
1573 "msg:\"ipv4-csum keyword check(1)\"; "
1574 "sid:2;)");
1575 if (de_ctx->sig_list->next == NULL) {
1576 printf("sig 2 parse: ");
1577 goto end;
1578 }
1579
1580 SigGroupBuild(de_ctx);
1581 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1582
1583 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1584 if (!(PacketAlertCheck(p1, 1))) {
1585 printf("signature 1 didn't match, but should have: ");
1586 goto end;
1587 }
1588
1589 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1590 if (!((PacketAlertCheck(p2, 2)))) {
1591 printf("signature 2 didn't match, but should have: ");
1592 goto end;
1593 }
1594
1595 result = 1;
1596 end:
1597 if (det_ctx != NULL) {
1598 SigGroupCleanup(de_ctx);
1599 SigCleanSignatures(de_ctx);
1600 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1601 DetectEngineCtxFree(de_ctx);
1602 }
1603 SCFree(p1);
1604 SCFree(p2);
1605 return result;
1606 }
1607
SigTest25NegativeIPV4Keyword(void)1608 static int SigTest25NegativeIPV4Keyword(void)
1609 {
1610 uint8_t valid_raw_ipv4[] = {
1611 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1612 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1613 0xc0, 0xa8, 0x01, 0x03};
1614
1615 uint8_t invalid_raw_ipv4[] = {
1616 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1617 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1618 0xc0, 0xa8, 0x01, 0x06};
1619
1620 Packet *p1 = SCMalloc(SIZE_OF_PACKET);
1621 if (unlikely(p1 == NULL))
1622 return 0;
1623 Packet *p2 = SCMalloc(SIZE_OF_PACKET);
1624 if (unlikely(p2 == NULL)) {
1625 SCFree(p1);
1626 return 0;
1627 }
1628 ThreadVars th_v;
1629 DetectEngineThreadCtx *det_ctx = NULL;
1630 int result = 1;
1631
1632 uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1633 "\r\n\r\n";
1634 uint16_t buflen = strlen((char *)buf);
1635
1636 memset(&th_v, 0, sizeof(ThreadVars));
1637 memset(p1, 0, SIZE_OF_PACKET);
1638 memset(p2, 0, SIZE_OF_PACKET);
1639 PACKET_RESET_CHECKSUMS(p1);
1640 PACKET_RESET_CHECKSUMS(p2);
1641
1642 p1->ip4h = (IPV4Hdr *)valid_raw_ipv4;
1643
1644 p1->src.family = AF_INET;
1645 p1->dst.family = AF_INET;
1646 p1->payload = buf;
1647 p1->payload_len = buflen;
1648 p1->proto = IPPROTO_TCP;
1649
1650 p2->ip4h = (IPV4Hdr *)invalid_raw_ipv4;
1651
1652 p2->src.family = AF_INET;
1653 p2->dst.family = AF_INET;
1654 p2->payload = buf;
1655 p2->payload_len = buflen;
1656 p2->proto = IPPROTO_TCP;
1657
1658 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1659 if (de_ctx == NULL) {
1660 goto end;
1661 }
1662
1663 de_ctx->flags |= DE_QUIET;
1664
1665 de_ctx->sig_list = SigInit(de_ctx,
1666 "alert ip any any -> any any "
1667 "(content:\"/one/\"; ipv4-csum:invalid; "
1668 "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1669 if (de_ctx->sig_list == NULL) {
1670 result &= 0;
1671 goto end;
1672 }
1673
1674 de_ctx->sig_list->next = SigInit(de_ctx,
1675 "alert ip any any -> any any "
1676 "(content:\"/one/\"; ipv4-csum:valid; "
1677 "msg:\"ipv4-csum keyword check(1)\"; "
1678 "sid:2;)");
1679 if (de_ctx->sig_list->next == NULL) {
1680 result &= 0;
1681 goto end;
1682 }
1683
1684 SigGroupBuild(de_ctx);
1685 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1686
1687 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1688 if (PacketAlertCheck(p1, 1))
1689 result &= 0;
1690 else
1691 result &= 1;
1692
1693 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1694 if (PacketAlertCheck(p2, 2))
1695 result &= 0;
1696 else
1697 result &= 1;
1698
1699 SigGroupCleanup(de_ctx);
1700 SigCleanSignatures(de_ctx);
1701 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1702 DetectEngineCtxFree(de_ctx);
1703 end:
1704 SCFree(p1);
1705 SCFree(p2);
1706 return result;
1707 }
1708
SigTest26TCPV4Keyword(void)1709 static int SigTest26TCPV4Keyword(void)
1710 {
1711 uint8_t raw_ipv4[] = {
1712 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1713 0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1714 0xc0, 0xa8, 0x01, 0x03};
1715
1716 uint8_t valid_raw_tcp[] = {
1717 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1718 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1719 0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1720 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1721 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1722
1723 uint8_t invalid_raw_tcp[] = {
1724 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1725 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1726 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1727 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1728 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1729
1730 Packet *p1 = SCMalloc(SIZE_OF_PACKET);
1731 if (unlikely(p1 == NULL))
1732 return 0;
1733
1734 Packet *p2 = SCMalloc(SIZE_OF_PACKET);
1735 if (unlikely(p2 == NULL)) {
1736 SCFree(p1);
1737 return 0;
1738 }
1739
1740 ThreadVars th_v;
1741 DetectEngineThreadCtx *det_ctx = NULL;
1742
1743 memset(&th_v, 0, sizeof(ThreadVars));
1744 memset(p1, 0, SIZE_OF_PACKET);
1745 memset(p2, 0, SIZE_OF_PACKET);
1746
1747 PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1748 PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1749
1750 PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1751 PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1752
1753 PACKET_RESET_CHECKSUMS(p1);
1754 p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
1755 p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
1756 p1->src.family = AF_INET;
1757 p1->dst.family = AF_INET;
1758 p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1759 p1->payload_len = 20;
1760 p1->proto = IPPROTO_TCP;
1761
1762 PACKET_RESET_CHECKSUMS(p2);
1763 p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
1764 p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
1765 p2->src.family = AF_INET;
1766 p2->dst.family = AF_INET;
1767 p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1768 p2->payload_len = 20;
1769 p2->proto = IPPROTO_TCP;
1770
1771 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1772 FAIL_IF_NULL(de_ctx);
1773
1774 de_ctx->flags |= DE_QUIET;
1775
1776 de_ctx->sig_list = SigInit(de_ctx,
1777 "alert ip any any -> any any "
1778 "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1779 "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
1780 FAIL_IF_NULL(de_ctx->sig_list);
1781
1782 de_ctx->sig_list->next = SigInit(de_ctx,
1783 "alert ip any any -> any any "
1784 "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1785 "msg:\"tcpv4-csum keyword check(1)\"; "
1786 "sid:2;)");
1787 FAIL_IF_NULL(de_ctx->sig_list->next);
1788
1789 SigGroupBuild(de_ctx);
1790 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1791
1792 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1793 FAIL_IF(!(PacketAlertCheck(p1, 1)));
1794
1795 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1796 FAIL_IF(!(PacketAlertCheck(p2, 2)));
1797
1798 SigGroupCleanup(de_ctx);
1799 SigCleanSignatures(de_ctx);
1800 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1801 DetectEngineCtxFree(de_ctx);
1802 SCFree(p1);
1803 SCFree(p2);
1804 PASS;
1805 }
1806
1807 /* Test SigTest26TCPV4Keyword but also check for invalid IPV4 checksum */
SigTest26TCPV4AndNegativeIPV4Keyword(void)1808 static int SigTest26TCPV4AndNegativeIPV4Keyword(void)
1809 {
1810 uint8_t raw_ipv4[] = {
1811 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1812 0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1813 0xc0, 0xa8, 0x01, 0x03};
1814
1815 uint8_t valid_raw_tcp[] = {
1816 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1817 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1818 0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1819 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1820 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1821
1822 uint8_t invalid_raw_tcp[] = {
1823 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1824 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1825 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1826 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1827 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1828
1829 Packet *p1 = SCMalloc(SIZE_OF_PACKET);
1830 if (unlikely(p1 == NULL))
1831 return 0;
1832
1833 Packet *p2 = SCMalloc(SIZE_OF_PACKET);
1834 if (unlikely(p2 == NULL)) {
1835 SCFree(p1);
1836 return 0;
1837 }
1838
1839 ThreadVars th_v;
1840 DetectEngineThreadCtx *det_ctx = NULL;
1841 int result = 0;
1842
1843 memset(&th_v, 0, sizeof(ThreadVars));
1844 memset(p1, 0, SIZE_OF_PACKET);
1845 memset(p2, 0, SIZE_OF_PACKET);
1846
1847 PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1848 PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1849
1850 PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1851 PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1852
1853 PACKET_RESET_CHECKSUMS(p1);
1854 p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
1855 p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
1856 p1->src.family = AF_INET;
1857 p1->dst.family = AF_INET;
1858 p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1859 p1->payload_len = 20;
1860 p1->proto = IPPROTO_TCP;
1861
1862 PACKET_RESET_CHECKSUMS(p2);
1863 p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
1864 p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
1865 p2->src.family = AF_INET;
1866 p2->dst.family = AF_INET;
1867 p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1868 p2->payload_len = 20;
1869 p2->proto = IPPROTO_TCP;
1870
1871 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1872 if (de_ctx == NULL) {
1873 goto end;
1874 }
1875
1876 de_ctx->flags |= DE_QUIET;
1877
1878 de_ctx->sig_list = SigInit(de_ctx,
1879 "alert ip any any -> any any "
1880 "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1881 "ipv4-csum:invalid; "
1882 "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1883 if (de_ctx->sig_list == NULL) {
1884 goto end;
1885 }
1886
1887 de_ctx->sig_list->next = SigInit(de_ctx,
1888 "alert ip any any -> any any "
1889 "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1890 "ipv4-csum:invalid; "
1891 "msg:\"tcpv4-csum keyword check(1)\"; "
1892 "sid:2;)");
1893 if (de_ctx->sig_list->next == NULL) {
1894 goto end;
1895 }
1896
1897 SigGroupBuild(de_ctx);
1898 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1899
1900 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1901 if (!(PacketAlertCheck(p1, 1))) {
1902 printf("sig 1 didn't match: ");
1903 goto end;
1904 }
1905
1906 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1907 if (!(PacketAlertCheck(p2, 2))) {
1908 printf("sig 2 didn't match: ");
1909 goto end;
1910 }
1911
1912 result = 1;
1913 end:
1914 SigGroupCleanup(de_ctx);
1915 SigCleanSignatures(de_ctx);
1916 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1917 DetectEngineCtxFree(de_ctx);
1918 SCFree(p1);
1919 SCFree(p2);
1920 return result;
1921 }
1922
1923 /* Similar to SigTest26, but with different packet */
SigTest26TCPV4AndIPV4Keyword(void)1924 static int SigTest26TCPV4AndIPV4Keyword(void)
1925 {
1926 /* IPV4: src:192.168.176.67 dst: 192.168.176.116
1927 * TTL: 64 Flags: Don't Fragment
1928 */
1929 uint8_t raw_ipv4[] = {
1930 0x45, 0x00, 0x00, 0x40, 0x9b, 0xa4, 0x40, 0x00,
1931 0x40, 0x06, 0xbd, 0x0a, 0xc0, 0xa8, 0xb0, 0x43,
1932 0xc0, 0xa8, 0xb0, 0x74};
1933
1934 /* TCP: sport: 49517 dport: 445 Flags: SYN
1935 * Window size: 65535, checksum: 0x2009,
1936 * MTU: 1460, Window scale: 4, TSACK permitted,
1937 * 24 bytes of options, no payload.
1938 */
1939 uint8_t valid_raw_tcp[] = {
1940 0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1941 0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1942 0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1943 0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1944 0x19, 0x69, 0x81, 0x7e, 0x00, 0x00, 0x00, 0x00,
1945 0x04, 0x02, 0x00, 0x00};
1946
1947 uint8_t invalid_raw_tcp[] = {
1948 0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1949 0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1950 0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1951 0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1952 0x19, 0x69, 0x81, 0x7e, 0xFF, 0xAA, 0x00, 0x00,
1953 0x04, 0x02, 0x00, 0x00};
1954
1955 Packet *p1 = SCMalloc(SIZE_OF_PACKET);
1956 if (unlikely(p1 == NULL))
1957 return 0;
1958
1959 Packet *p2 = SCMalloc(SIZE_OF_PACKET);
1960 if (unlikely(p2 == NULL)) {
1961 SCFree(p1);
1962 return 0;
1963 }
1964
1965 ThreadVars th_v;
1966 DetectEngineThreadCtx *det_ctx = NULL;
1967 int result = 0;
1968
1969 memset(&th_v, 0, sizeof(ThreadVars));
1970 memset(p1, 0, SIZE_OF_PACKET);
1971 memset(p2, 0, SIZE_OF_PACKET);
1972
1973 PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1974 PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1975
1976 PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1977 PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1978
1979 PACKET_RESET_CHECKSUMS(p1);
1980 p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
1981 p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
1982 p1->src.family = AF_INET;
1983 p1->dst.family = AF_INET;
1984 p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20 + 24;
1985 p1->payload_len = 0;
1986 p1->proto = IPPROTO_TCP;
1987
1988 PACKET_RESET_CHECKSUMS(p2);
1989 p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
1990 p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
1991 p2->src.family = AF_INET;
1992 p2->dst.family = AF_INET;
1993 p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20 + 24;
1994 p2->payload_len = 0;
1995 p2->proto = IPPROTO_TCP;
1996
1997 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1998 if (de_ctx == NULL) {
1999 goto end;
2000 }
2001
2002 de_ctx->flags |= DE_QUIET;
2003
2004 de_ctx->sig_list = SigInit(de_ctx,
2005 "alert ip any any -> any any "
2006 "(tcpv4-csum:valid; "
2007 "ipv4-csum:valid; "
2008 "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
2009 if (de_ctx->sig_list == NULL) {
2010 goto end;
2011 }
2012
2013 de_ctx->sig_list->next = SigInit(de_ctx,
2014 "alert ip any any -> any any "
2015 "(tcpv4-csum:invalid; "
2016 "ipv4-csum:valid; "
2017 "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; "
2018 "sid:2;)");
2019 if (de_ctx->sig_list->next == NULL) {
2020 goto end;
2021 }
2022
2023 SigGroupBuild(de_ctx);
2024 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2025
2026 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2027 if (!(PacketAlertCheck(p1, 1))) {
2028 printf("sig 1 didn't match: ");
2029 goto end;
2030 }
2031
2032 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2033 if (!(PacketAlertCheck(p2, 2))) {
2034 printf("sig 2 didn't match: ");
2035 goto end;
2036 }
2037
2038 result = 1;
2039 end:
2040 SigGroupCleanup(de_ctx);
2041 SigCleanSignatures(de_ctx);
2042 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2043 DetectEngineCtxFree(de_ctx);
2044 SCFree(p1);
2045 SCFree(p2);
2046 return result;
2047 }
2048
SigTest27NegativeTCPV4Keyword(void)2049 static int SigTest27NegativeTCPV4Keyword(void)
2050 {
2051 uint8_t raw_ipv4[] = {
2052 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2053 0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
2054 0xc0, 0xa8, 0x01, 0x03};
2055
2056 uint8_t valid_raw_tcp[] = {
2057 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2058 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2059 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2060 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2061 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
2062
2063 uint8_t invalid_raw_tcp[] = {
2064 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2065 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2066 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2067 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2068 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
2069
2070
2071 Packet *p1 = SCMalloc(SIZE_OF_PACKET);
2072 if (unlikely(p1 == NULL))
2073 return 0;
2074 Packet *p2 = SCMalloc(SIZE_OF_PACKET);
2075 if (unlikely(p2 == NULL)) {
2076 SCFree(p1);
2077 return 0;
2078 }
2079 ThreadVars th_v;
2080 DetectEngineThreadCtx *det_ctx = NULL;
2081 int result = 0;
2082
2083 memset(&th_v, 0, sizeof(ThreadVars));
2084 memset(p1, 0, SIZE_OF_PACKET);
2085 memset(p2, 0, SIZE_OF_PACKET);
2086
2087 PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
2088 PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
2089
2090 PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
2091 PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
2092
2093 PACKET_RESET_CHECKSUMS(p1);
2094 p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
2095 p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
2096 p1->src.family = AF_INET;
2097 p1->dst.family = AF_INET;
2098 p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
2099 p1->payload_len = 20;
2100 p1->proto = IPPROTO_TCP;
2101
2102 PACKET_RESET_CHECKSUMS(p2);
2103 p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
2104 p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
2105 p2->src.family = AF_INET;
2106 p2->dst.family = AF_INET;
2107 p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
2108 p2->payload_len = 20;
2109 p2->proto = IPPROTO_TCP;
2110
2111 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2112 if (de_ctx == NULL) {
2113 goto end;
2114 }
2115
2116 de_ctx->flags |= DE_QUIET;
2117
2118 de_ctx->sig_list = SigInit(de_ctx,
2119 "alert tcp any any -> any any "
2120 "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; "
2121 "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
2122 if (de_ctx->sig_list == NULL) {
2123 goto end;
2124 }
2125
2126 de_ctx->sig_list->next = SigInit(de_ctx,
2127 "alert tcp any any -> any any "
2128 "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
2129 "msg:\"tcpv4-csum keyword check(2)\"; "
2130 "sid:2;)");
2131 if (de_ctx->sig_list->next == NULL) {
2132 goto end;
2133 }
2134
2135 SigGroupBuild(de_ctx);
2136 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2137
2138 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2139 if (!PacketAlertCheck(p1, 1)) {
2140 printf("sig 1 didn't match on p1: ");
2141 goto end;
2142 }
2143
2144 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2145 if (PacketAlertCheck(p2, 2)) {
2146 printf("sig 2 matched on p2: ");
2147 goto end;
2148 }
2149
2150 result = 1;
2151 end:
2152 SigGroupCleanup(de_ctx);
2153 SigCleanSignatures(de_ctx);
2154 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2155 DetectEngineCtxFree(de_ctx);
2156 SCFree(p1);
2157 SCFree(p2);
2158 return result;
2159 }
2160
SigTest28TCPV6Keyword(void)2161 static int SigTest28TCPV6Keyword(void)
2162 {
2163 static uint8_t valid_raw_ipv6[] = {
2164 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2165 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2166
2167 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2168 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2169 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2170 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2171 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2172
2173 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2174 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2175 0xf2, 0xf1, 0x00, 0x00,
2176
2177 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2178 0x00, 0x01, 0x69, 0x27};
2179
2180 static uint8_t invalid_raw_ipv6[] = {
2181 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2182 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2183
2184 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2185 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2186 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2187 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2188 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2189
2190 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2191 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2192 0xc2, 0xf1, 0x00, 0x00,
2193
2194 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2195 0x00, 0x01, 0x69, 0x28};
2196
2197 Packet *p1 = SCMalloc(SIZE_OF_PACKET);
2198 if (unlikely(p1 == NULL))
2199 return 0;
2200 Packet *p2 = SCMalloc(SIZE_OF_PACKET);
2201 if (unlikely(p2 == NULL)) {
2202 SCFree(p1);
2203 return 0;
2204 }
2205 ThreadVars th_v;
2206 DetectEngineThreadCtx *det_ctx = NULL;
2207 int result = 0;
2208
2209 memset(&th_v, 0, sizeof(ThreadVars));
2210 memset(p1, 0, SIZE_OF_PACKET);
2211 memset(p2, 0, SIZE_OF_PACKET);
2212
2213 PACKET_RESET_CHECKSUMS(p1);
2214 p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2215 p1->tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
2216 p1->src.family = AF_INET;
2217 p1->dst.family = AF_INET;
2218 p1->payload = valid_raw_ipv6 + 54 + 20;
2219 p1->payload_len = 12;
2220 p1->proto = IPPROTO_TCP;
2221
2222 if (TCP_GET_HLEN(p1) != 20) {
2223 BUG_ON(1);
2224 }
2225
2226 PACKET_RESET_CHECKSUMS(p2);
2227 p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2228 p2->tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
2229 p2->src.family = AF_INET;
2230 p2->dst.family = AF_INET;
2231 p2->payload = invalid_raw_ipv6 + 54 + 20;;
2232 p2->payload_len = 12;
2233 p2->proto = IPPROTO_TCP;
2234
2235 if (TCP_GET_HLEN(p2) != 20) {
2236 BUG_ON(1);
2237 }
2238
2239 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2240 if (de_ctx == NULL) {
2241 goto end;
2242 }
2243
2244 de_ctx->flags |= DE_QUIET;
2245
2246 de_ctx->sig_list = SigInit(de_ctx,
2247 "alert tcp any any -> any any "
2248 "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2249 "msg:\"tcpv6-csum keyword check(1)\"; sid:1;)");
2250 if (de_ctx->sig_list == NULL) {
2251 goto end;
2252 }
2253
2254 de_ctx->sig_list->next = SigInit(de_ctx,
2255 "alert tcp any any -> any any "
2256 "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2257 "msg:\"tcpv6-csum keyword check(1)\"; "
2258 "sid:2;)");
2259 if (de_ctx->sig_list->next == NULL) {
2260 goto end;
2261 }
2262
2263 SigGroupBuild(de_ctx);
2264 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2265
2266 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2267 if (!(PacketAlertCheck(p1, 1))) {
2268 printf("sid 1 didn't match on p1: ");
2269 goto end;
2270 }
2271
2272 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2273 if (!(PacketAlertCheck(p2, 2))) {
2274 printf("sid 2 didn't match on p2: ");
2275 goto end;
2276 }
2277
2278 result = 1;
2279 end:
2280 SigGroupCleanup(de_ctx);
2281 SigCleanSignatures(de_ctx);
2282 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2283 DetectEngineCtxFree(de_ctx);
2284 SCFree(p1);
2285 SCFree(p2);
2286 return result;
2287 }
2288
SigTest29NegativeTCPV6Keyword(void)2289 static int SigTest29NegativeTCPV6Keyword(void)
2290 {
2291 static uint8_t valid_raw_ipv6[] = {
2292 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2293 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2294
2295 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2296 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2297 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2298 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2299 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2300
2301 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2302 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2303 0xf2, 0xf1, 0x00, 0x00,
2304
2305 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2306 0x00, 0x01, 0x69, 0x27};
2307
2308 static uint8_t invalid_raw_ipv6[] = {
2309 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2310 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2311
2312 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2313 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2314 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2315 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2316 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2317
2318 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2319 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2320 0xc2, 0xf1, 0x00, 0x00,
2321
2322 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2323 0x00, 0x01, 0x69, 0x28};
2324
2325 Packet *p1 = SCMalloc(SIZE_OF_PACKET);
2326 if (unlikely(p1 == NULL))
2327 return 0;
2328 Packet *p2 = SCMalloc(SIZE_OF_PACKET);
2329 if (unlikely(p2 == NULL)) {
2330 SCFree(p1);
2331 return 0;
2332 }
2333 ThreadVars th_v;
2334 DetectEngineThreadCtx *det_ctx = NULL;
2335 int result = 0;
2336
2337 memset(&th_v, 0, sizeof(ThreadVars));
2338 memset(p1, 0, SIZE_OF_PACKET);
2339 memset(p2, 0, SIZE_OF_PACKET);
2340
2341 PACKET_RESET_CHECKSUMS(p1);
2342 p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2343 p1->tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
2344 p1->src.family = AF_INET;
2345 p1->dst.family = AF_INET;
2346 p1->payload = valid_raw_ipv6 + 54 + 20;
2347 p1->payload_len = 12;
2348 p1->proto = IPPROTO_TCP;
2349
2350 if (TCP_GET_HLEN(p1) != 20) {
2351 BUG_ON(1);
2352 }
2353
2354 PACKET_RESET_CHECKSUMS(p2);
2355 p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2356 p2->tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
2357 p2->src.family = AF_INET;
2358 p2->dst.family = AF_INET;
2359 p2->payload = invalid_raw_ipv6 + 54 + 20;;
2360 p2->payload_len = 12;
2361 p2->proto = IPPROTO_TCP;
2362
2363 if (TCP_GET_HLEN(p2) != 20) {
2364 BUG_ON(1);
2365 }
2366
2367 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2368 if (de_ctx == NULL) {
2369 goto end;
2370 }
2371
2372 de_ctx->flags |= DE_QUIET;
2373
2374 de_ctx->sig_list = SigInit(de_ctx,
2375 "alert tcp any any -> any any "
2376 "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2377 "msg:\"tcpv6-csum keyword check(1)\"; "
2378 "sid:1;)");
2379 if (de_ctx->sig_list == NULL) {
2380 goto end;
2381 }
2382
2383 de_ctx->sig_list->next = SigInit(de_ctx,
2384 "alert tcp any any -> any any "
2385 "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2386 "msg:\"tcpv6-csum keyword check(1)\"; "
2387 "sid:2;)");
2388 if (de_ctx->sig_list->next == NULL) {
2389 goto end;
2390 }
2391
2392 SigGroupBuild(de_ctx);
2393 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2394
2395 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2396 if (PacketAlertCheck(p1, 1))
2397 goto end;
2398
2399 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2400 if (PacketAlertCheck(p2, 2))
2401 goto end;
2402
2403 result = 1;
2404 end:
2405 SigGroupCleanup(de_ctx);
2406 SigCleanSignatures(de_ctx);
2407 if (det_ctx != NULL)
2408 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2409 DetectEngineCtxFree(de_ctx);
2410 SCFree(p1);
2411 SCFree(p2);
2412 return result;
2413 }
2414
SigTest30UDPV4Keyword(void)2415 static int SigTest30UDPV4Keyword(void)
2416 {
2417 uint8_t raw_ipv4[] = {
2418 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2419 0x00, 0x11, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2420 0xc0, 0xa8, 0x01, 0x03};
2421
2422 uint8_t valid_raw_udp[] = {
2423 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2424 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2425 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2426 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2427 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2428 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2429 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2430 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2431 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2432 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2433 0x67, 0x6c, 0x65, 0xc0, 0x26};
2434
2435 uint8_t invalid_raw_udp[] = {
2436 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2437 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2438 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2439 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2440 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2441 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2442 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2443 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2444 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2445 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2446 0x67, 0x6c, 0x65, 0xc0, 0x27};
2447
2448 Packet *p1 = SCMalloc(SIZE_OF_PACKET);
2449 FAIL_IF_NULL(p1);
2450 Packet *p2 = SCMalloc(SIZE_OF_PACKET);
2451 FAIL_IF_NULL(p2);
2452
2453 ThreadVars th_v;
2454 DetectEngineThreadCtx *det_ctx = NULL;
2455
2456 uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2457 "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2458
2459 memset(&th_v, 0, sizeof(ThreadVars));
2460 memset(p1, 0, SIZE_OF_PACKET);
2461 memset(p2, 0, SIZE_OF_PACKET);
2462
2463 PACKET_RESET_CHECKSUMS(p1);
2464 p1->ip4h = (IPV4Hdr *)raw_ipv4;
2465 p1->udph = (UDPHdr *)valid_raw_udp;
2466 p1->src.family = AF_INET;
2467 p1->dst.family = AF_INET;
2468 p1->payload = buf;
2469 p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2470 p1->proto = IPPROTO_UDP;
2471
2472 PACKET_RESET_CHECKSUMS(p2);
2473 p2->ip4h = (IPV4Hdr *)raw_ipv4;
2474 p2->udph = (UDPHdr *)invalid_raw_udp;
2475 p2->src.family = AF_INET;
2476 p2->dst.family = AF_INET;
2477 p2->payload = buf;
2478 p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2479 p2->proto = IPPROTO_UDP;
2480
2481 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2482 FAIL_IF_NULL(de_ctx);
2483
2484 de_ctx->flags |= DE_QUIET;
2485
2486 de_ctx->sig_list = SigInit(de_ctx,
2487 "alert udp any any -> any any "
2488 "(content:\"/one/\"; udpv4-csum:valid; "
2489 "msg:\"udpv4-csum keyword check(1)\"; "
2490 "sid:1;)");
2491 FAIL_IF_NULL(de_ctx->sig_list);
2492
2493 de_ctx->sig_list->next = SigInit(de_ctx,
2494 "alert udp any any -> any any "
2495 "(content:\"/one/\"; udpv4-csum:invalid; "
2496 "msg:\"udpv4-csum keyword check(1)\"; "
2497 "sid:2;)");
2498 FAIL_IF_NULL(de_ctx->sig_list->next);
2499
2500 SigGroupBuild(de_ctx);
2501 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2502
2503 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2504 FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2505
2506 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2507 FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2508
2509 SigGroupCleanup(de_ctx);
2510 SigCleanSignatures(de_ctx);
2511 if (det_ctx != NULL)
2512 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2513 DetectEngineCtxFree(de_ctx);
2514 SCFree(p1);
2515 SCFree(p2);
2516 PASS;
2517 }
2518
SigTest31NegativeUDPV4Keyword(void)2519 static int SigTest31NegativeUDPV4Keyword(void)
2520 {
2521 uint8_t raw_ipv4[] = {
2522 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2523 0x00, 0x00, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2524 0xc0, 0xa8, 0x01, 0x03};
2525
2526 uint8_t valid_raw_udp[] = {
2527 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2528 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2529 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2530 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2531 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2532 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2533 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2534 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2535 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2536 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2537 0x67, 0x6c, 0x65, 0xc0, 0x26};
2538
2539 uint8_t invalid_raw_udp[] = {
2540 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2541 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2542 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2543 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2544 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2545 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2546 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2547 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2548 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2549 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2550 0x67, 0x6c, 0x65, 0xc0, 0x27};
2551
2552 Packet *p1 = SCMalloc(SIZE_OF_PACKET);
2553 if (unlikely(p1 == NULL))
2554 return 0;
2555 Packet *p2 = SCMalloc(SIZE_OF_PACKET);
2556 if (unlikely(p2 == NULL)) {
2557 SCFree(p1);
2558 return 0;
2559 }
2560 ThreadVars th_v;
2561 DetectEngineThreadCtx *det_ctx = NULL;
2562 int result = 1;
2563
2564 uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2565 "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2566
2567 memset(&th_v, 0, sizeof(ThreadVars));
2568 memset(p1, 0, SIZE_OF_PACKET);
2569 memset(p2, 0, SIZE_OF_PACKET);
2570
2571 PACKET_RESET_CHECKSUMS(p1);
2572 p1->ip4h = (IPV4Hdr *)raw_ipv4;
2573 p1->udph = (UDPHdr *)valid_raw_udp;
2574 p1->src.family = AF_INET;
2575 p1->dst.family = AF_INET;
2576 p1->payload = buf;
2577 p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2578 p1->proto = IPPROTO_UDP;
2579
2580 PACKET_RESET_CHECKSUMS(p2);
2581 p2->ip4h = (IPV4Hdr *)raw_ipv4;
2582 p2->udph = (UDPHdr *)invalid_raw_udp;
2583 p2->src.family = AF_INET;
2584 p2->dst.family = AF_INET;
2585 p2->payload = buf;
2586 p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2587 p2->proto = IPPROTO_UDP;
2588
2589 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2590 if (de_ctx == NULL) {
2591 goto end;
2592 }
2593
2594 de_ctx->flags |= DE_QUIET;
2595
2596 de_ctx->sig_list = SigInit(de_ctx,
2597 "alert udp any any -> any any "
2598 "(content:\"/one/\"; udpv4-csum:invalid; "
2599 "msg:\"udpv4-csum keyword check(1)\"; sid:1;)");
2600 if (de_ctx->sig_list == NULL) {
2601 result &= 0;
2602 goto end;
2603 }
2604
2605 de_ctx->sig_list->next = SigInit(de_ctx,
2606 "alert udp any any -> any any "
2607 "(content:\"/one/\"; udpv4-csum:valid; "
2608 "msg:\"udpv4-csum keyword check(1)\"; "
2609 "sid:2;)");
2610 if (de_ctx->sig_list->next == NULL) {
2611 result &= 0;
2612 goto end;
2613 }
2614
2615 SigGroupBuild(de_ctx);
2616 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2617
2618 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2619 if (PacketAlertCheck(p1, 1))
2620 result &= 0;
2621 else
2622 result &= 1;
2623
2624 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2625 if (PacketAlertCheck(p2, 2)) {
2626 result &= 0;
2627 }
2628 else
2629 result &= 1;
2630
2631 SigGroupCleanup(de_ctx);
2632 SigCleanSignatures(de_ctx);
2633 if (det_ctx != NULL)
2634 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2635 DetectEngineCtxFree(de_ctx);
2636 end:
2637 SCFree(p1);
2638 SCFree(p2);
2639 return result;
2640 }
2641
2642
SigTest32UDPV6Keyword(void)2643 static int SigTest32UDPV6Keyword(void)
2644 {
2645 static uint8_t valid_raw_ipv6[] = {
2646 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2647 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2648 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2649 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2650 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2651 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2652 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2653 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2654 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2655 0x09, 0x00};
2656
2657 static uint8_t invalid_raw_ipv6[] = {
2658 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2659 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2660 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2661 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2662 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2663 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2664 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2665 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2666 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2667 0x09, 0x01};
2668
2669 Packet *p1 = SCMalloc(SIZE_OF_PACKET);
2670 FAIL_IF_NULL(p1);
2671 Packet *p2 = SCMalloc(SIZE_OF_PACKET);
2672 FAIL_IF_NULL(p2);
2673
2674 ThreadVars th_v;
2675 DetectEngineThreadCtx *det_ctx = NULL;
2676
2677 uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2678 "\r\n\r\n";
2679
2680 memset(&th_v, 0, sizeof(ThreadVars));
2681 memset(p1, 0, SIZE_OF_PACKET);
2682 memset(p2, 0, SIZE_OF_PACKET);
2683
2684 PACKET_RESET_CHECKSUMS(p1);
2685 p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2686 p1->udph = (UDPHdr *) (valid_raw_ipv6 + 54);
2687 p1->src.family = AF_INET;
2688 p1->dst.family = AF_INET;
2689 p1->payload = buf;
2690 p1->payload_len = IPV6_GET_PLEN((p1)) - UDP_HEADER_LEN;
2691 p1->proto = IPPROTO_UDP;
2692
2693 PACKET_RESET_CHECKSUMS(p2);
2694 p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2695 p2->udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
2696 p2->src.family = AF_INET;
2697 p2->dst.family = AF_INET;
2698 p2->payload = buf;
2699 p2->payload_len = IPV6_GET_PLEN((p2)) - UDP_HEADER_LEN;
2700 p2->proto = IPPROTO_UDP;
2701
2702 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2703 FAIL_IF_NULL(de_ctx);
2704
2705 de_ctx->flags |= DE_QUIET;
2706
2707 de_ctx->sig_list = SigInit(de_ctx,
2708 "alert udp any any -> any any "
2709 "(content:\"/one/\"; udpv6-csum:valid; "
2710 "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2711 FAIL_IF_NULL(de_ctx->sig_list);
2712
2713 de_ctx->sig_list->next = SigInit(de_ctx,
2714 "alert udp any any -> any any "
2715 "(content:\"/one/\"; udpv6-csum:invalid; "
2716 "msg:\"udpv6-csum keyword check(1)\"; "
2717 "sid:2;)");
2718 FAIL_IF_NULL(de_ctx->sig_list->next);
2719
2720 SigGroupBuild(de_ctx);
2721 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2722
2723 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2724 FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2725
2726 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2727 FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2728
2729 SigGroupCleanup(de_ctx);
2730 SigCleanSignatures(de_ctx);
2731 if (det_ctx != NULL)
2732 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2733 DetectEngineCtxFree(de_ctx);
2734
2735 SCFree(p1);
2736 SCFree(p2);
2737 PASS;
2738 }
2739
SigTest33NegativeUDPV6Keyword(void)2740 static int SigTest33NegativeUDPV6Keyword(void)
2741 {
2742 static uint8_t valid_raw_ipv6[] = {
2743 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2744 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2745 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2746 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2747 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2748 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2749 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2750 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2751 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2752 0x09, 0x00};
2753
2754 static uint8_t invalid_raw_ipv6[] = {
2755 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2756 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2757 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2758 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2759 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2760 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2761 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2762 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2763 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2764 0x09, 0x01};
2765
2766 Packet *p1 = SCMalloc(SIZE_OF_PACKET);
2767 if (unlikely(p1 == NULL))
2768 return 0;
2769 Packet *p2 = SCMalloc(SIZE_OF_PACKET);
2770 if (unlikely(p2 == NULL)) {
2771 SCFree(p1);
2772 return 0;
2773 }
2774 ThreadVars th_v;
2775 DetectEngineThreadCtx *det_ctx = NULL;
2776 int result = 1;
2777
2778 uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2779 "\r\n\r\n";
2780
2781 memset(&th_v, 0, sizeof(ThreadVars));
2782 memset(p1, 0, SIZE_OF_PACKET);
2783 memset(p2, 0, SIZE_OF_PACKET);
2784
2785 PACKET_RESET_CHECKSUMS(p1);
2786 p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2787 p1->udph = (UDPHdr *) (valid_raw_ipv6 + 54);
2788 p1->src.family = AF_INET;
2789 p1->dst.family = AF_INET;
2790 p1->payload = buf;
2791 p1->payload_len = IPV6_GET_PLEN((p1)) - UDP_HEADER_LEN;
2792 p1->proto = IPPROTO_UDP;
2793
2794 PACKET_RESET_CHECKSUMS(p2);
2795 p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2796 p2->udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
2797 p2->src.family = AF_INET;
2798 p2->dst.family = AF_INET;
2799 p2->payload = buf;
2800 p2->payload_len = IPV6_GET_PLEN((p2)) - UDP_HEADER_LEN;
2801 p2->proto = IPPROTO_UDP;
2802
2803 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2804 if (de_ctx == NULL) {
2805 goto end;
2806 }
2807
2808 de_ctx->flags |= DE_QUIET;
2809
2810 de_ctx->sig_list = SigInit(de_ctx,
2811 "alert udp any any -> any any "
2812 "(content:\"/one/\"; udpv6-csum:invalid; "
2813 "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2814 if (de_ctx->sig_list == NULL) {
2815 result &= 0;
2816 goto end;
2817 }
2818
2819 de_ctx->sig_list->next = SigInit(de_ctx,
2820 "alert udp any any -> any any "
2821 "(content:\"/one/\"; udpv6-csum:valid; "
2822 "msg:\"udpv6-csum keyword check(1)\"; "
2823 "sid:2;)");
2824 if (de_ctx->sig_list->next == NULL) {
2825 result &= 0;
2826 goto end;
2827 }
2828
2829 SigGroupBuild(de_ctx);
2830 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2831
2832 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2833 if (PacketAlertCheck(p1, 1))
2834 result &= 0;
2835 else
2836 result &= 1;
2837
2838 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2839 if (PacketAlertCheck(p2, 2))
2840 result &= 0;
2841 else
2842 result &= 1;
2843
2844 SigGroupCleanup(de_ctx);
2845 SigCleanSignatures(de_ctx);
2846 if (det_ctx != NULL)
2847 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2848 DetectEngineCtxFree(de_ctx);
2849 end:
2850 SCFree(p1);
2851 SCFree(p2);
2852 return result;
2853 }
2854
SigTest34ICMPV4Keyword(void)2855 static int SigTest34ICMPV4Keyword(void)
2856 {
2857 uint8_t valid_raw_ipv4[] = {
2858 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2859 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2860 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2861 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2862 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2863 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2864 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2865 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2866 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2867 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2868 0x34, 0x35, 0x36, 0x37};
2869
2870 uint8_t invalid_raw_ipv4[] = {
2871 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2872 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2873 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2874 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2875 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2876 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2877 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2878 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2879 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2880 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2881 0x34, 0x35, 0x36, 0x38};
2882
2883 Packet *p1 = SCMalloc(SIZE_OF_PACKET);
2884 if (unlikely(p1 == NULL))
2885 return 0;
2886 Packet *p2 = SCMalloc(SIZE_OF_PACKET);
2887 if (unlikely(p2 == NULL)) {
2888 SCFree(p1);
2889 return 0;
2890 }
2891 ThreadVars th_v;
2892 DetectEngineThreadCtx *det_ctx = NULL;
2893 int result = 1;
2894
2895 uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
2896 "\r\n\r\n";
2897 uint16_t buflen = strlen((char *)buf);
2898
2899 memset(&th_v, 0, sizeof(ThreadVars));
2900 memset(p1, 0, SIZE_OF_PACKET);
2901 memset(p2, 0, SIZE_OF_PACKET);
2902
2903 PACKET_RESET_CHECKSUMS(p1);
2904 p1->ip4h = (IPV4Hdr *)(valid_raw_ipv4);
2905 p1->ip4h->ip_verhl = 69;
2906 p1->icmpv4h = (ICMPV4Hdr *) (valid_raw_ipv4 + IPV4_GET_RAW_HLEN(p1->ip4h) * 4);
2907 p1->src.family = AF_INET;
2908 p1->dst.family = AF_INET;
2909 p1->payload = buf;
2910 p1->payload_len = buflen;
2911 p1->proto = IPPROTO_ICMP;
2912
2913 PACKET_RESET_CHECKSUMS(p2);
2914 p2->ip4h = (IPV4Hdr *)(invalid_raw_ipv4);
2915 p2->ip4h->ip_verhl = 69;
2916 p2->icmpv4h = (ICMPV4Hdr *) (invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(p2->ip4h) * 4);
2917 p2->src.family = AF_INET;
2918 p2->dst.family = AF_INET;
2919 p2->payload = buf;
2920 p2->payload_len = buflen;
2921 p2->proto = IPPROTO_ICMP;
2922
2923 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2924 if (de_ctx == NULL) {
2925 goto end;
2926 }
2927
2928 de_ctx->flags |= DE_QUIET;
2929
2930 de_ctx->sig_list = SigInit(de_ctx,
2931 "alert icmp any any -> any any "
2932 "(content:\"/one/\"; icmpv4-csum:valid; "
2933 "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2934 if (de_ctx->sig_list == NULL) {
2935 result &= 0;
2936 goto end;
2937 }
2938
2939 de_ctx->sig_list->next = SigInit(de_ctx,
2940 "alert icmp any any -> any any "
2941 "(content:\"/one/\"; icmpv4-csum:invalid; "
2942 "msg:\"icmpv4-csum keyword check(1)\"; "
2943 "sid:2;)");
2944 if (de_ctx->sig_list->next == NULL) {
2945 result = 0;
2946 goto end;
2947 }
2948
2949 SigGroupBuild(de_ctx);
2950 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2951
2952 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2953 if (PacketAlertCheck(p1, 1))
2954 result &= 1;
2955 else
2956 result &= 0;
2957
2958 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2959 if (PacketAlertCheck(p2, 2))
2960 result &= 1;
2961 else
2962 result &= 0;
2963
2964 SigGroupCleanup(de_ctx);
2965 SigCleanSignatures(de_ctx);
2966 if (det_ctx != NULL)
2967 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2968 DetectEngineCtxFree(de_ctx);
2969 end:
2970 SCFree(p1);
2971 SCFree(p2);
2972 return result;
2973 }
2974
SigTest35NegativeICMPV4Keyword(void)2975 static int SigTest35NegativeICMPV4Keyword(void)
2976 {
2977 uint8_t valid_raw_ipv4[] = {
2978 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2979 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2980 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2981 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2982 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2983 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2984 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2985 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2986 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2987 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2988 0x34, 0x35, 0x36, 0x37};
2989
2990 uint8_t invalid_raw_ipv4[] = {
2991 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2992 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2993 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2994 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2995 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2996 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2997 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2998 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2999 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3000 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
3001 0x34, 0x35, 0x36, 0x38};
3002
3003 Packet *p1 = SCMalloc(SIZE_OF_PACKET);
3004 if (unlikely(p1 == NULL))
3005 return 0;
3006 Packet *p2 = SCMalloc(SIZE_OF_PACKET);
3007 if (unlikely(p2 == NULL)) {
3008 SCFree(p1);
3009 return 0;
3010 }
3011 ThreadVars th_v;
3012 DetectEngineThreadCtx *det_ctx = NULL;
3013 int result = 1;
3014
3015 uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
3016 "\r\n\r\n";
3017 uint16_t buflen = strlen((char *)buf);
3018
3019 memset(&th_v, 0, sizeof(ThreadVars));
3020 memset(p1, 0, SIZE_OF_PACKET);
3021 memset(p2, 0, SIZE_OF_PACKET);
3022
3023 PACKET_RESET_CHECKSUMS(p1);
3024 p1->ip4h = (IPV4Hdr *)(valid_raw_ipv4);
3025 p1->ip4h->ip_verhl = 69;
3026 p1->icmpv4h = (ICMPV4Hdr *) (valid_raw_ipv4 + IPV4_GET_RAW_HLEN(p1->ip4h) * 4);
3027 p1->src.family = AF_INET;
3028 p1->dst.family = AF_INET;
3029 p1->payload = buf;
3030 p1->payload_len = buflen;
3031 p1->proto = IPPROTO_ICMP;
3032
3033 PACKET_RESET_CHECKSUMS(p2);
3034 p2->ip4h = (IPV4Hdr *)(invalid_raw_ipv4);
3035 p2->ip4h->ip_verhl = 69;
3036 p2->icmpv4h = (ICMPV4Hdr *) (invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(p2->ip4h) * 4);
3037 p2->src.family = AF_INET;
3038 p2->dst.family = AF_INET;
3039 p2->payload = buf;
3040 p2->payload_len = buflen;
3041 p2->proto = IPPROTO_ICMP;
3042
3043 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3044 if (de_ctx == NULL) {
3045 goto end;
3046 }
3047
3048 de_ctx->flags |= DE_QUIET;
3049
3050 de_ctx->sig_list = SigInit(de_ctx,
3051 "alert icmp any any -> any any "
3052 "(content:\"/one/\"; icmpv4-csum:invalid; "
3053 "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
3054 if (de_ctx->sig_list == NULL) {
3055 result &= 0;
3056 goto end;
3057 }
3058
3059 de_ctx->sig_list->next = SigInit(de_ctx,
3060 "alert icmp any any -> any any "
3061 "(content:\"/one/\"; icmpv4-csum:valid; "
3062 "msg:\"icmpv4-csum keyword check(1)\"; "
3063 "sid:2;)");
3064 if (de_ctx->sig_list->next == NULL) {
3065 result &= 0;
3066 goto end;
3067 }
3068
3069 SigGroupBuild(de_ctx);
3070 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
3071
3072 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3073 if (PacketAlertCheck(p1, 1))
3074 result &= 0;
3075 else
3076 result &= 1;
3077
3078 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3079 if (PacketAlertCheck(p2, 2))
3080 result &= 0;
3081 else {
3082 result &= 1;
3083 }
3084
3085 SigGroupCleanup(de_ctx);
3086 SigCleanSignatures(de_ctx);
3087 if (det_ctx != NULL)
3088 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3089 DetectEngineCtxFree(de_ctx);
3090 end:
3091 SCFree(p1);
3092 SCFree(p2);
3093 return result;
3094 }
3095
SigTest38(void)3096 static int SigTest38(void)
3097 {
3098 Packet *p1 = SCMalloc(SIZE_OF_PACKET);
3099 if (unlikely(p1 == NULL))
3100 return 0;
3101 ThreadVars th_v;
3102 DetectEngineThreadCtx *det_ctx = NULL;
3103 int result = 1;
3104 uint8_t raw_eth[] = {
3105 0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3106 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3107 0x08, 0x00
3108 };
3109 uint8_t raw_ipv4[] = {
3110 0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3111 0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3112 0x7f, 0x00, 0x00, 0x01
3113 };
3114 uint8_t raw_tcp[] = {
3115 0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3116 0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3117 0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3118 0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3119 0x00, 0x22, 0xaa, 0x10
3120 };
3121 uint8_t buf[] = {
3122 0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3123 0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3124 0x20, 0x38, 0x0d, 0x0a, 0x66, 0x6f, 0x30, 0x30, /* LEN1|20| ends at 17 */
3125 0x30, 0x38, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32, /* "0008" at offset 5 */
3126 0x20, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3127 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3128 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3129 0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3130 0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3131 0x0a
3132 };
3133 uint16_t ethlen = sizeof(raw_eth);
3134 uint16_t ipv4len = sizeof(raw_ipv4);
3135 uint16_t tcplen = sizeof(raw_tcp);
3136 uint16_t buflen = sizeof(buf);
3137
3138 memset(&th_v, 0, sizeof(ThreadVars));
3139 memset(p1, 0, SIZE_OF_PACKET);
3140
3141 /* Copy raw data into packet */
3142 if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
3143 SCFree(p1);
3144 return 1;
3145 }
3146 if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
3147 SCFree(p1);
3148 return 1;
3149 }
3150 if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
3151 SCFree(p1);
3152 return 1;
3153 }
3154 if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
3155 SCFree(p1);
3156 return 1;
3157 }
3158 SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3159
3160 PACKET_RESET_CHECKSUMS(p1);
3161 p1->ethh = (EthernetHdr *)raw_eth;
3162 p1->ip4h = (IPV4Hdr *)raw_ipv4;
3163 p1->tcph = (TCPHdr *)raw_tcp;
3164 p1->src.family = AF_INET;
3165 p1->dst.family = AF_INET;
3166 p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
3167 p1->payload_len = buflen;
3168 p1->proto = IPPROTO_TCP;
3169
3170 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3171 if (de_ctx == NULL) {
3172 goto end;
3173 }
3174 de_ctx->flags |= DE_QUIET;
3175
3176 de_ctx->sig_list = SigInit(de_ctx,
3177 "alert tcp any any -> any any "
3178 "(content:\"LEN1|20|\"; "
3179 "byte_test:4,=,8,0; "
3180 "msg:\"byte_test keyword check(1)\"; sid:1;)");
3181 if (de_ctx->sig_list == NULL) {
3182 result &= 0;
3183 goto end;
3184 }
3185 de_ctx->sig_list->next = SigInit(de_ctx,
3186 "alert tcp any any -> any any "
3187 "(content:\"LEN1|20|\"; "
3188 "byte_test:4,=,8,5,relative,string,dec; "
3189 "msg:\"byte_test keyword check(2)\"; sid:2;)");
3190 if (de_ctx->sig_list->next == NULL) {
3191 result &= 0;
3192 goto end;
3193 }
3194
3195 SigGroupBuild(de_ctx);
3196 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3197
3198 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3199 if (PacketAlertCheck(p1, 1)) {
3200 result = 1;
3201 } else {
3202 result = 0;
3203 printf("sid 1 didn't alert, but should have: ");
3204 goto cleanup;
3205 }
3206 if (PacketAlertCheck(p1, 2)) {
3207 result = 1;
3208 } else {
3209 result = 0;
3210 printf("sid 2 didn't alert, but should have: ");
3211 goto cleanup;
3212 }
3213
3214 cleanup:
3215 SigGroupCleanup(de_ctx);
3216 SigCleanSignatures(de_ctx);
3217
3218 if (det_ctx != NULL)
3219 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3220 DetectEngineCtxFree(de_ctx);
3221
3222 end:
3223 SCFree(p1);
3224 return result;
3225 }
3226
SigTest39(void)3227 static int SigTest39(void)
3228 {
3229 Packet *p1 = SCMalloc(SIZE_OF_PACKET);
3230 if (unlikely(p1 == NULL))
3231 return 0;
3232 ThreadVars th_v;
3233 DetectEngineThreadCtx *det_ctx = NULL;
3234 int result = 1;
3235 uint8_t raw_eth[] = {
3236 0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3237 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3238 0x08, 0x00
3239 };
3240 uint8_t raw_ipv4[] = {
3241 0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3242 0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3243 0x7f, 0x00, 0x00, 0x01
3244 };
3245 uint8_t raw_tcp[] = {
3246 0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3247 0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3248 0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3249 0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3250 0x00, 0x22, 0xaa, 0x10
3251 };
3252 uint8_t buf[] = {
3253 0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3254 0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3255 0x20, 0x38, 0x0d, 0x0a, 0x66, 0x30, 0x30, 0x30,
3256 0x38, 0x72, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32,
3257 0x20, 0x39, 0x39, 0x4c, 0x45, 0x4e, 0x32, 0x39,
3258 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3259 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3260 0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3261 0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3262 0x0a
3263 };
3264 uint16_t ethlen = sizeof(raw_eth);
3265 uint16_t ipv4len = sizeof(raw_ipv4);
3266 uint16_t tcplen = sizeof(raw_tcp);
3267 uint16_t buflen = sizeof(buf);
3268
3269 memset(&th_v, 0, sizeof(ThreadVars));
3270 memset(p1, 0, SIZE_OF_PACKET);
3271
3272 /* Copy raw data into packet */
3273 if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
3274 SCFree(p1);
3275 return 1;
3276 }
3277 if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
3278 SCFree(p1);
3279 return 1;
3280 }
3281 if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
3282 SCFree(p1);
3283 return 1;
3284 }
3285 if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
3286 SCFree(p1);
3287 return 1;
3288 }
3289 SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3290
3291 PACKET_RESET_CHECKSUMS(p1);
3292 p1->ethh = (EthernetHdr *)raw_eth;
3293 p1->ip4h = (IPV4Hdr *)raw_ipv4;
3294 p1->tcph = (TCPHdr *)raw_tcp;
3295 p1->src.family = AF_INET;
3296 p1->dst.family = AF_INET;
3297 p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
3298 p1->payload_len = buflen;
3299 p1->proto = IPPROTO_TCP;
3300
3301 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3302 if (de_ctx == NULL) {
3303 goto end;
3304 }
3305 de_ctx->flags |= DE_QUIET;
3306
3307 de_ctx->sig_list = SigInit(de_ctx,
3308 "alert tcp any any -> any any "
3309 "(content:\"LEN1|20|\"; "
3310 "byte_test:4,=,8,0; "
3311 "byte_jump:4,0; "
3312 "byte_test:6,=,0x4c454e312038,0,relative; "
3313 "msg:\"byte_jump keyword check(1)\"; sid:1;)");
3314 if (de_ctx->sig_list == NULL) {
3315 result &= 0;
3316 goto end;
3317 }
3318 // XXX TODO
3319 de_ctx->sig_list->next = SigInit(de_ctx,
3320 "alert tcp any any -> any any "
3321 "(content:\"LEN1|20|\"; "
3322 "byte_test:4,=,8,4,relative,string,dec; "
3323 "byte_jump:4,4,relative,string,dec,post_offset 2; "
3324 "byte_test:4,=,0x4c454e32,0,relative; "
3325 "msg:\"byte_jump keyword check(2)\"; sid:2;)");
3326 if (de_ctx->sig_list->next == NULL) {
3327 result &= 0;
3328 goto end;
3329 }
3330
3331 SigGroupBuild(de_ctx);
3332 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3333
3334 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3335 if (PacketAlertCheck(p1, 1)) {
3336 result = 1;
3337 } else {
3338 result = 0;
3339 printf("sid 1 didn't alert, but should have: ");
3340 goto cleanup;
3341 }
3342 if (PacketAlertCheck(p1, 2)) {
3343 result = 1;
3344 } else {
3345 result = 0;
3346 printf("sid 2 didn't alert, but should have: ");
3347 goto cleanup;
3348 }
3349
3350 cleanup:
3351 SigGroupCleanup(de_ctx);
3352 SigCleanSignatures(de_ctx);
3353 if (det_ctx != NULL)
3354 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3355 DetectEngineCtxFree(de_ctx);
3356
3357 end:
3358 SCFree(p1);
3359 return result;
3360 }
3361
3362 /**
3363 * \test SigTest36ContentAndIsdataatKeywords01 is a test to check window with constructed packets,
3364 * \brief expecting to match a size
3365 */
3366
SigTest36ContentAndIsdataatKeywords01(void)3367 static int SigTest36ContentAndIsdataatKeywords01 (void)
3368 {
3369 int result = 0;
3370
3371 // Buid and decode the packet
3372
3373 uint8_t raw_eth [] = {
3374 0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3375 ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3376 ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3377 ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3378 ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3379 ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3380 ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3381 ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3382 ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3383 ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3384 ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3385 ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3386 ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3387 ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3388 ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3389 ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3390 ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3391 ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3392 ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3393 ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3394 ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3395 ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3396 ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3397 ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3398 ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3399 ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3400 ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3401 ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3402 ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3403 ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3404
3405 Packet *p = SCMalloc(SIZE_OF_PACKET);
3406 if (unlikely(p == NULL))
3407 return 0;
3408 DecodeThreadVars dtv;
3409
3410 ThreadVars th_v;
3411 DetectEngineThreadCtx *det_ctx = NULL;
3412
3413 memset(p, 0, SIZE_OF_PACKET);
3414 memset(&dtv, 0, sizeof(DecodeThreadVars));
3415 memset(&th_v, 0, sizeof(th_v));
3416
3417 FlowInitConfig(FLOW_QUIET);
3418 DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3419
3420
3421 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3422 if (de_ctx == NULL) {
3423 goto end;
3424 }
3425
3426 de_ctx->flags |= DE_QUIET;
3427
3428 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest36ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:404, relative; sid:101;)");
3429 if (de_ctx->sig_list == NULL) {
3430 result = 0;
3431 goto end;
3432 }
3433
3434 SigGroupBuild(de_ctx);
3435 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3436
3437 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3438 if (PacketAlertCheck(p, 101) == 0) {
3439 result = 0;
3440 goto end;
3441 } else {
3442 result=1;
3443 }
3444
3445 SigGroupCleanup(de_ctx);
3446 SigCleanSignatures(de_ctx);
3447
3448 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3449 DetectEngineCtxFree(de_ctx);
3450 PACKET_RECYCLE(p);
3451 FlowShutdown();
3452
3453 SCFree(p);
3454 return result;
3455
3456 end:
3457 if(de_ctx)
3458 {
3459 SigGroupCleanup(de_ctx);
3460 SigCleanSignatures(de_ctx);
3461 }
3462
3463 if(det_ctx)
3464 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3465
3466 //PatternMatchDestroy(mpm_ctx);
3467
3468 if(de_ctx)
3469 DetectEngineCtxFree(de_ctx);
3470
3471 if (p != NULL)
3472 PACKET_RECYCLE(p);
3473
3474 FlowShutdown();
3475
3476 SCFree(p);
3477 return result;
3478 }
3479
3480
3481 /**
3482 * \test SigTest37ContentAndIsdataatKeywords02 is a test to check window with constructed packets,
3483 * \brief not expecting to match a size
3484 */
3485
SigTest37ContentAndIsdataatKeywords02(void)3486 static int SigTest37ContentAndIsdataatKeywords02 (void)
3487 {
3488 int result = 0;
3489
3490 // Buid and decode the packet
3491
3492 uint8_t raw_eth [] = {
3493 0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3494 ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3495 ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3496 ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3497 ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3498 ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3499 ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3500 ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3501 ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3502 ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3503 ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3504 ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3505 ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3506 ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3507 ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3508 ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3509 ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3510 ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3511 ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3512 ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3513 ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3514 ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3515 ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3516 ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3517 ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3518 ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3519 ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3520 ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3521 ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3522 ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3523
3524 Packet *p = SCMalloc(SIZE_OF_PACKET);
3525 if (unlikely(p == NULL))
3526 return 0;
3527 DecodeThreadVars dtv;
3528
3529 ThreadVars th_v;
3530 DetectEngineThreadCtx *det_ctx = NULL;
3531
3532 memset(p, 0, SIZE_OF_PACKET);
3533 memset(&dtv, 0, sizeof(DecodeThreadVars));
3534 memset(&th_v, 0, sizeof(th_v));
3535
3536 FlowInitConfig(FLOW_QUIET);
3537 DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3538
3539
3540 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3541 if (de_ctx == NULL) {
3542 goto end;
3543 }
3544
3545 de_ctx->flags |= DE_QUIET;
3546
3547 Signature *s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest37ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:500, relative; sid:101;)");
3548 if (de_ctx->sig_list == NULL) {
3549 printf("sig parse failed: ");
3550 result = 0;
3551 goto end;
3552 }
3553
3554 if (s->sm_lists[DETECT_SM_LIST_PMATCH]->type != DETECT_CONTENT) {
3555 printf("type not content: ");
3556 goto end;
3557 }
3558 SigGroupBuild(de_ctx);
3559 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3560
3561 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3562 if (PacketAlertCheck(p, 101) == 0) {
3563 result = 1;
3564 goto end;
3565 } else {
3566 printf("sig matched, but should not have: ");
3567 result=0;
3568 }
3569
3570 SigGroupCleanup(de_ctx);
3571 SigCleanSignatures(de_ctx);
3572
3573 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3574 DetectEngineCtxFree(de_ctx);
3575
3576 PACKET_RECYCLE(p);
3577 FlowShutdown();
3578
3579 SCFree(p);
3580 return result;
3581
3582 end:
3583 if(de_ctx)
3584 {
3585 SigGroupCleanup(de_ctx);
3586 SigCleanSignatures(de_ctx);
3587 }
3588
3589 if(det_ctx)
3590 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3591
3592 if(de_ctx)
3593 DetectEngineCtxFree(de_ctx);
3594
3595 if (p != NULL)
3596 PACKET_RECYCLE(p);
3597
3598 FlowShutdown();
3599
3600 SCFree(p);
3601 return result;
3602 }
3603
3604 /**
3605 * \test SigTest41NoPacketInspection is a test to check that when PKT_NOPACKET_INSPECTION
3606 * flag is set, we don't need to inspect the packet protocol header or its contents.
3607 */
3608
SigTest40NoPacketInspection01(void)3609 static int SigTest40NoPacketInspection01(void)
3610 {
3611
3612 uint8_t *buf = (uint8_t *)
3613 "220 (vsFTPd 2.0.5)\r\n";
3614 uint16_t buflen = strlen((char *)buf);
3615 Packet *p = SCMalloc(SIZE_OF_PACKET);
3616 TCPHdr tcphdr;
3617 if (unlikely(p == NULL))
3618 return 0;
3619 ThreadVars th_v;
3620 DetectEngineThreadCtx *det_ctx = NULL;
3621 PacketQueue pq;
3622 Flow f;
3623 int result = 0;
3624
3625 memset(&th_v, 0, sizeof(th_v));
3626 memset(p, 0, SIZE_OF_PACKET);
3627 memset(&pq, 0, sizeof(pq));
3628 memset(&f, 0, sizeof(f));
3629 memset(&tcphdr, 0, sizeof(tcphdr));
3630
3631 p->src.family = AF_INET;
3632 p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
3633 p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
3634 p->dst.family = AF_INET;
3635 p->payload = buf;
3636 p->payload_len = buflen;
3637 p->proto = IPPROTO_TCP;
3638 p->dp = 34260;
3639 p->sp = 21;
3640 p->flowflags |= FLOW_PKT_TOSERVER;
3641 p->flags |= PKT_NOPACKET_INSPECTION;
3642 p->tcph = &tcphdr;
3643 p->flow = &f;
3644
3645 FLOW_INITIALIZE(&f);
3646
3647 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3648 if (de_ctx == NULL) {
3649 goto end;
3650 }
3651
3652 de_ctx->flags |= DE_QUIET;
3653
3654 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 any (msg:\"No Packet Inspection Test\"; flow:to_server; sid:2; rev:1;)");
3655 if (de_ctx->sig_list == NULL) {
3656 result = 0;
3657 goto end;
3658 }
3659
3660 SigGroupBuild(de_ctx);
3661 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
3662 det_ctx->de_ctx = de_ctx;
3663
3664 Detect(&th_v, p, det_ctx);
3665 if (PacketAlertCheck(p, 2))
3666 result = 0;
3667 else
3668 result = 1;
3669
3670 SigGroupCleanup(de_ctx);
3671 SigCleanSignatures(de_ctx);
3672 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3673 //PatternMatchDestroy(mpm_ctx);
3674 DetectEngineCtxFree(de_ctx);
3675 end:
3676 SCFree(p);
3677 return result;
3678 }
3679
3680 /**
3681 * \test SigTest42NoPayloadInspection is a test to check that when PKT_NOPAYLOAD_INSPECTION
3682 * flasg is set, we don't need to inspect the packet contents.
3683 */
3684
SigTest40NoPayloadInspection02(void)3685 static int SigTest40NoPayloadInspection02(void)
3686 {
3687
3688 uint8_t *buf = (uint8_t *)
3689 "220 (vsFTPd 2.0.5)\r\n";
3690 uint16_t buflen = strlen((char *)buf);
3691 ThreadVars th_v;
3692 memset(&th_v, 0, sizeof(th_v));
3693
3694 Packet *p = SCMalloc(SIZE_OF_PACKET);
3695 FAIL_IF_NULL(p);
3696 memset(p, 0, SIZE_OF_PACKET);
3697
3698 p->src.family = AF_INET;
3699 p->dst.family = AF_INET;
3700 p->payload = buf;
3701 p->payload_len = buflen;
3702 p->proto = IPPROTO_TCP;
3703 p->flags |= PKT_NOPAYLOAD_INSPECTION;
3704
3705 DetectEngineThreadCtx *det_ctx = NULL;
3706 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3707 FAIL_IF_NULL(de_ctx);
3708 de_ctx->flags |= DE_QUIET;
3709
3710 Signature *s = DetectEngineAppendSig(de_ctx,
3711 "alert tcp any any -> any any (msg:\"No Payload TEST\"; content:\"220 (vsFTPd 2.0.5)\"; sid:1;)");
3712 FAIL_IF_NULL(s);
3713
3714 SigGroupBuild(de_ctx);
3715 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3716
3717 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3718
3719 FAIL_IF(PacketAlertCheck(p, 1));
3720
3721 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3722 DetectEngineCtxFree(de_ctx);
3723 SCFree(p);
3724 PASS;
3725 }
3726
SigTestMemory01(void)3727 static int SigTestMemory01 (void)
3728 {
3729 uint8_t *buf = (uint8_t *)
3730 "GET /one/ HTTP/1.1\r\n"
3731 "Host: one.example.org\r\n"
3732 "\r\n\r\n"
3733 "GET /two/ HTTP/1.1\r\n"
3734 "Host: two.example.org\r\n"
3735 "\r\n\r\n";
3736 uint16_t buflen = strlen((char *)buf);
3737 Packet *p = SCMalloc(SIZE_OF_PACKET);
3738 if (unlikely(p == NULL))
3739 return 0;
3740 ThreadVars th_v;
3741 DetectEngineThreadCtx *det_ctx = NULL;
3742 int result = 0;
3743
3744 memset(&th_v, 0, sizeof(th_v));
3745 memset(p, 0, SIZE_OF_PACKET);
3746 p->src.family = AF_INET;
3747 p->dst.family = AF_INET;
3748 p->payload = buf;
3749 p->payload_len = buflen;
3750 p->proto = IPPROTO_TCP;
3751
3752 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3753 if (de_ctx == NULL) {
3754 goto end;
3755 }
3756
3757 de_ctx->flags |= DE_QUIET;
3758
3759 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3760 if (de_ctx->sig_list == NULL) {
3761 result = 0;
3762 goto end;
3763 }
3764
3765 SigGroupBuild(de_ctx);
3766 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3767
3768 SigGroupCleanup(de_ctx);
3769 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3770 DetectEngineCtxFree(de_ctx);
3771
3772 result = 1;
3773 end:
3774 SCFree(p);
3775 return result;
3776 }
3777
SigTestMemory02(void)3778 static int SigTestMemory02 (void)
3779 {
3780 ThreadVars th_v;
3781 int result = 0;
3782
3783 memset(&th_v, 0, sizeof(th_v));
3784
3785 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3786 if (de_ctx == NULL) {
3787 goto end;
3788 }
3789 de_ctx->flags |= DE_QUIET;
3790
3791 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3792 if (de_ctx->sig_list == NULL) {
3793 result = 0;
3794 goto end;
3795 }
3796 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3797 if (de_ctx->sig_list->next == NULL) {
3798 result = 0;
3799 goto end;
3800 }
3801
3802 SigGroupBuild(de_ctx);
3803
3804 SigGroupCleanup(de_ctx);
3805 DetectEngineCtxFree(de_ctx);
3806
3807 result = 1;
3808 end:
3809 return result;
3810 }
3811
SigTestMemory03(void)3812 static int SigTestMemory03 (void)
3813 {
3814 ThreadVars th_v;
3815 int result = 0;
3816
3817 memset(&th_v, 0, sizeof(th_v));
3818
3819 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3820 if (de_ctx == NULL) {
3821 goto end;
3822 }
3823 de_ctx->flags |= DE_QUIET;
3824
3825 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3826 if (de_ctx->sig_list == NULL) {
3827 result = 0;
3828 goto end;
3829 }
3830 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> 1.2.3.3-1.2.3.6 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3831 if (de_ctx->sig_list->next == NULL) {
3832 result = 0;
3833 goto end;
3834 }
3835 de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> !1.2.3.5 1:990 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:3;)");
3836 if (de_ctx->sig_list->next->next == NULL) {
3837 result = 0;
3838 goto end;
3839 }
3840
3841 SigGroupBuild(de_ctx);
3842
3843 SigGroupCleanup(de_ctx);
3844 DetectEngineCtxFree(de_ctx);
3845
3846 result = 1;
3847 end:
3848 return result;
3849 }
3850
SigTestContent01(void)3851 static int SigTestContent01 (void)
3852 {
3853 uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3854 uint16_t buflen = strlen((char *)buf);
3855 ThreadVars th_v;
3856 DetectEngineThreadCtx *det_ctx = NULL;
3857 int result = 0;
3858
3859 memset(&th_v, 0, sizeof(th_v));
3860
3861 Packet *p = NULL;
3862 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3863
3864 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3865 if (de_ctx == NULL) {
3866 goto end;
3867 }
3868 de_ctx->flags |= DE_QUIET;
3869
3870 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3871 if (de_ctx->sig_list == NULL) {
3872 result = 0;
3873 goto end;
3874 }
3875
3876 SigGroupBuild(de_ctx);
3877 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3878
3879 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3880 if (PacketAlertCheck(p, 1))
3881 result = 1;
3882 else
3883 printf("sig 1 didn't match: ");
3884
3885 SigGroupCleanup(de_ctx);
3886 SigCleanSignatures(de_ctx);
3887
3888 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3889 DetectEngineCtxFree(de_ctx);
3890 end:
3891 UTHFreePackets(&p, 1);
3892 return result;
3893 }
3894
SigTestContent02(void)3895 static int SigTestContent02 (void)
3896 {
3897 uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3898 uint16_t buflen = strlen((char *)buf);
3899 ThreadVars th_v;
3900 DetectEngineThreadCtx *det_ctx = NULL;
3901 int result = 0;
3902
3903 memset(&th_v, 0, sizeof(th_v));
3904 Packet *p = NULL;
3905 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3906
3907 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3908 if (de_ctx == NULL) {
3909 goto end;
3910 }
3911 de_ctx->flags |= DE_QUIET;
3912
3913 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3914 if (de_ctx->sig_list == NULL) {
3915 result = 0;
3916 goto end;
3917 }
3918
3919 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 31\"; content:\"0123456789012345678901234567890\"; sid:2;)");
3920 if (de_ctx->sig_list->next == NULL) {
3921 result = 0;
3922 goto end;
3923 }
3924
3925 SigGroupBuild(de_ctx);
3926 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3927
3928 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3929 if (PacketAlertCheck(p, 1)) {
3930 if (PacketAlertCheck(p, 2)) {
3931 result = 1;
3932 } else
3933 printf("sig 2 didn't match: ");
3934 }
3935 else
3936 printf("sig 1 didn't match: ");
3937
3938 SigGroupCleanup(de_ctx);
3939 SigCleanSignatures(de_ctx);
3940
3941 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3942 DetectEngineCtxFree(de_ctx);
3943 end:
3944 UTHFreePackets(&p, 1);
3945 return result;
3946 }
3947
SigTestContent03(void)3948 static int SigTestContent03 (void)
3949 {
3950 uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3951 uint16_t buflen = strlen((char *)buf);
3952 ThreadVars th_v;
3953 DetectEngineThreadCtx *det_ctx = NULL;
3954 int result = 0;
3955
3956 memset(&th_v, 0, sizeof(th_v));
3957 Packet *p = NULL;
3958 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3959
3960 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3961 if (de_ctx == NULL) {
3962 goto end;
3963 }
3964
3965 de_ctx->flags |= DE_QUIET;
3966
3967 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; sid:1;)");
3968 if (de_ctx->sig_list == NULL) {
3969 result = 0;
3970 goto end;
3971 }
3972
3973 SigGroupBuild(de_ctx);
3974 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3975
3976 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3977 if (PacketAlertCheck(p, 1))
3978 result = 1;
3979 else
3980 printf("sig 1 didn't match: ");
3981
3982 SigGroupCleanup(de_ctx);
3983 SigCleanSignatures(de_ctx);
3984
3985 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3986 DetectEngineCtxFree(de_ctx);
3987 end:
3988 UTHFreePackets(&p, 1);
3989 return result;
3990 }
3991
SigTestContent04(void)3992 static int SigTestContent04 (void)
3993 {
3994 uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3995 uint16_t buflen = strlen((char *)buf);
3996 ThreadVars th_v;
3997 DetectEngineThreadCtx *det_ctx = NULL;
3998 int result = 0;
3999
4000 memset(&th_v, 0, sizeof(th_v));
4001
4002 Packet *p = NULL;
4003 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
4004
4005 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4006 if (de_ctx == NULL) {
4007 goto end;
4008 }
4009
4010 de_ctx->flags |= DE_QUIET;
4011
4012 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
4013 if (de_ctx->sig_list == NULL) {
4014 result = 0;
4015 goto end;
4016 }
4017
4018 SigGroupBuild(de_ctx);
4019 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4020
4021 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4022 if (PacketAlertCheck(p, 1))
4023 result = 1;
4024 else
4025 printf("sig 1 didn't match: ");
4026
4027 SigGroupCleanup(de_ctx);
4028 SigCleanSignatures(de_ctx);
4029
4030 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4031 DetectEngineCtxFree(de_ctx);
4032 end:
4033 UTHFreePackets(&p, 1);
4034 return result;
4035 }
4036
4037 /** \test sigs with patterns at the limit of the pm's size limit */
SigTestContent05(void)4038 static int SigTestContent05 (void)
4039 {
4040 uint8_t *buf = (uint8_t *)"01234567890123456789012345678901PADabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4041 uint16_t buflen = strlen((char *)buf);
4042 ThreadVars th_v;
4043 DetectEngineThreadCtx *det_ctx = NULL;
4044 int result = 0;
4045
4046 memset(&th_v, 0, sizeof(th_v));
4047 Packet *p = NULL;
4048 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
4049
4050 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4051 if (de_ctx == NULL) {
4052 printf("de_ctx == NULL: ");
4053 goto end;
4054 }
4055
4056 de_ctx->flags |= DE_QUIET;
4057
4058 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
4059 if (de_ctx->sig_list == NULL) {
4060 printf("sig1 parse failed: ");
4061 goto end;
4062 }
4063 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:1; within:32; sid:2;)");
4064 if (de_ctx->sig_list->next == NULL) {
4065 printf("sig2 parse failed: ");
4066 goto end;
4067 }
4068
4069 SigGroupBuild(de_ctx);
4070 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4071
4072 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4073
4074 if (PacketAlertCheck(p, 1)) {
4075 printf("sig 1 matched but shouldn't: ");
4076 goto end;
4077 }
4078
4079 if (PacketAlertCheck(p, 2)) {
4080 printf("sig 2 matched but shouldn't: ");
4081 goto end;
4082 }
4083
4084 result = 1;
4085 end:
4086 UTHFreePackets(&p, 1);
4087 SigGroupCleanup(de_ctx);
4088 SigCleanSignatures(de_ctx);
4089
4090 if (det_ctx != NULL) {
4091 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4092 }
4093 if (de_ctx != NULL) {
4094 DetectEngineCtxFree(de_ctx);
4095 }
4096 return result;
4097 }
4098
SigTestContent06(void)4099 static int SigTestContent06 (void)
4100 {
4101 uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4102 uint16_t buflen = strlen((char *)buf);
4103 ThreadVars th_v;
4104 DetectEngineThreadCtx *det_ctx = NULL;
4105 int result = 0;
4106
4107 memset(&th_v, 0, sizeof(th_v));
4108 Packet *p = NULL;
4109 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
4110
4111 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4112 if (de_ctx == NULL) {
4113 goto end;
4114 }
4115
4116 de_ctx->flags |= DE_QUIET;
4117
4118 de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig1\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
4119 if (de_ctx->sig_list == NULL) {
4120 result = 0;
4121 goto end;
4122 }
4123 de_ctx->sig_list->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig2\"; content:\"01234567890123456789012345678901\"; content:\"abcdefg\"; sid:2;)");
4124 if (de_ctx->sig_list->next == NULL) {
4125 result = 0;
4126 goto end;
4127 }
4128
4129 SigGroupBuild(de_ctx);
4130 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4131
4132 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4133 if (PacketAlertCheck(p, 1)){
4134 //printf("sig 1 matched :");
4135 }else{
4136 printf("sig 1 didn't match: ");
4137 goto end;
4138 }
4139
4140 if (PacketAlertCheck(p, 2)){
4141 result = 1;
4142 }else{
4143 printf("sig 2 didn't match: ");
4144 goto end;
4145 }
4146
4147 SigGroupCleanup(de_ctx);
4148 SigCleanSignatures(de_ctx);
4149
4150 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4151 DetectEngineCtxFree(de_ctx);
4152 end:
4153 UTHFreePackets(&p, 1);
4154 return result;
4155 }
4156
SigTestWithin01(void)4157 static int SigTestWithin01 (void)
4158 {
4159 DecodeThreadVars dtv;
4160 ThreadVars th_v;
4161 int result = 0;
4162 Packet *p1 = NULL;
4163 Packet *p2 = NULL;
4164 Packet *p3 = NULL;
4165 Packet *p4 = NULL;
4166
4167 uint8_t rawpkt1[] = {
4168 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4169 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4170 0x00,0x8c,0x95,0x50,0x00,0x00,0x40,0x06,
4171 0x2d,0x45,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4172 0x24,0xe6,0x06,0xcc,0x03,0x09,0x18,0x72,
4173 0xd0,0xe3,0x1a,0xab,0x7c,0x98,0x50,0x00,
4174 0x02,0x00,0x46,0xa0,0x00,0x00,0x48,0x69,
4175 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4176 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4177 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4178 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4179 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4180 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4181 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4182 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4183 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4184 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4185 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4186 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4187 0x00,0x00 }; /* end rawpkt1 */
4188
4189 uint8_t rawpkt2[] = {
4190 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4191 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4192 0x00,0x8c,0x30,0x87,0x00,0x00,0x40,0x06,
4193 0x92,0x0e,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4194 0x24,0xe6,0x06,0xcd,0x03,0x09,0x73,0xec,
4195 0xd5,0x35,0x14,0x7d,0x7c,0x12,0x50,0x00,
4196 0x02,0x00,0xed,0x86,0x00,0x00,0x48,0x69,
4197 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4198 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4199 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4200 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4201 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4202 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4203 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4204 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4205 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4206 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4207 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4208 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4209 0x00,0x00 }; /* end rawpkt2 */
4210
4211 uint8_t rawpkt3[] = {
4212 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4213 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4214 0x00,0x8c,0x57,0xd8,0x00,0x00,0x40,0x06,
4215 0x6a,0xbd,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4216 0x24,0xe6,0x06,0xce,0x03,0x09,0x06,0x3d,
4217 0x02,0x22,0x2f,0x9b,0x6f,0x8f,0x50,0x00,
4218 0x02,0x00,0x1f,0xae,0x00,0x00,0x48,0x69,
4219 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4220 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4221 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4222 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4223 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4224 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4225 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4226 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4227 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4228 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4229 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4230 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4231 0x00,0x00 }; /* end rawpkt3 */
4232
4233 uint8_t rawpkt4[] = {
4234 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4235 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4236 0x00,0x8c,0xa7,0x2e,0x00,0x00,0x40,0x06,
4237 0x1b,0x67,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4238 0x24,0xe6,0x06,0xcf,0x03,0x09,0x00,0x0e,
4239 0xdf,0x72,0x3d,0xc2,0x21,0xce,0x50,0x00,
4240 0x02,0x00,0x88,0x25,0x00,0x00,0x48,0x69,
4241 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4242 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4243 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4244 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4245 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4246 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4247 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4248 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4249 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4250 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4251 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4252 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4253 0x00,0x00 }; /* end rawpkt4 */
4254
4255 memset(&dtv, 0, sizeof(DecodeThreadVars));
4256 memset(&th_v, 0, sizeof(th_v));
4257
4258 DetectEngineThreadCtx *det_ctx = NULL;
4259
4260 FlowInitConfig(FLOW_QUIET);
4261
4262 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4263 if (de_ctx == NULL) {
4264 goto end;
4265 }
4266
4267 de_ctx->flags |= DE_QUIET;
4268
4269 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"within test\"; content:\"Hi, this is a big test to check \"; content:\"content matches\"; distance:0; within:15; sid:556;)");
4270 if (de_ctx->sig_list == NULL) {
4271 result = 0;
4272 goto end;
4273 }
4274
4275 SigGroupBuild(de_ctx);
4276 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4277
4278 /* packet 1 */
4279 p1 = SCMalloc(SIZE_OF_PACKET);
4280 if (unlikely(p1 == NULL))
4281 return 0;
4282 memset(p1, 0, SIZE_OF_PACKET);
4283 DecodeEthernet(&th_v, &dtv, p1, rawpkt1, sizeof(rawpkt1));
4284 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4285 if (!(PacketAlertCheck(p1, 556))) {
4286 printf("failed to match on packet 1: ");
4287 goto end;
4288 }
4289
4290 /* packet 2 */
4291 p2 = SCMalloc(SIZE_OF_PACKET);
4292 if (unlikely(p2 == NULL))
4293 return 0;
4294 memset(p2, 0, SIZE_OF_PACKET);
4295 DecodeEthernet(&th_v, &dtv, p2, rawpkt2, sizeof(rawpkt2));
4296 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4297 if (!(PacketAlertCheck(p2, 556))) {
4298 printf("failed to match on packet 2: ");
4299 goto end;
4300 }
4301
4302 /* packet 3 */
4303 p3 = SCMalloc(SIZE_OF_PACKET);
4304 if (unlikely(p3 == NULL))
4305 return 0;
4306 memset(p3, 0, SIZE_OF_PACKET);
4307 DecodeEthernet(&th_v, &dtv, p3, rawpkt3, sizeof(rawpkt3));
4308 SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
4309 if (!(PacketAlertCheck(p3, 556))) {
4310 printf("failed to match on packet 3: ");
4311 goto end;
4312 }
4313
4314 /* packet 4 */
4315 p4 = SCMalloc(SIZE_OF_PACKET);
4316 if (unlikely(p4 == NULL))
4317 return 0;
4318 memset(p4, 0, SIZE_OF_PACKET);
4319 DecodeEthernet(&th_v, &dtv, p4, rawpkt4, sizeof(rawpkt4));
4320 SigMatchSignatures(&th_v, de_ctx, det_ctx, p4);
4321 if (!(PacketAlertCheck(p4, 556))) {
4322 printf("failed to match on packet 4: ");
4323 goto end;
4324 }
4325
4326 /* packet 5 */
4327 uint8_t *p5buf = (uint8_t *)"Hi, this is a big test to check content matches";
4328 uint16_t p5buflen = strlen((char *)p5buf);
4329 Packet *p5 = UTHBuildPacket(p5buf, p5buflen, IPPROTO_TCP);
4330 SigMatchSignatures(&th_v, de_ctx, det_ctx, p5);
4331 if (!(PacketAlertCheck(p5, 556))) {
4332 printf("failed to match on packet 5: ");
4333 goto end;
4334 }
4335 UTHFreePackets(&p5, 1);
4336
4337 result = 1;
4338 end:
4339 if (de_ctx != NULL) {
4340 SigGroupCleanup(de_ctx);
4341 SigCleanSignatures(de_ctx);
4342 }
4343
4344 if (det_ctx != NULL)
4345 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4346
4347 if (de_ctx != NULL)
4348 DetectEngineCtxFree(de_ctx);
4349
4350 if (p1 != NULL) {
4351 PACKET_RECYCLE(p1);
4352 SCFree(p1);
4353 }
4354 if (p2 != NULL) {
4355 PACKET_RECYCLE(p2);
4356 SCFree(p2);
4357 }
4358 if (p3 != NULL) {
4359 PACKET_RECYCLE(p3);
4360 SCFree(p3);
4361 }
4362 if (p4 != NULL) {
4363 PACKET_RECYCLE(p4);
4364 SCFree(p4);
4365 }
4366 FlowShutdown();
4367 return result;
4368 }
4369
SigTestDepthOffset01(void)4370 static int SigTestDepthOffset01 (void)
4371 {
4372 uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4373 uint16_t buflen = strlen((char *)buf);
4374 Packet *p = NULL;
4375 ThreadVars th_v;
4376 DetectEngineThreadCtx *det_ctx = NULL;
4377 int result = 0;
4378
4379 memset(&th_v, 0, sizeof(th_v));
4380
4381 p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
4382
4383 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4384 if (de_ctx == NULL) {
4385 goto end;
4386 }
4387
4388 de_ctx->flags |= DE_QUIET;
4389
4390 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"depth offset\"; content:\"456\"; offset:4; depth:3; sid:1;)");
4391 if (de_ctx->sig_list == NULL) {
4392 result = 0;
4393 goto end;
4394 }
4395
4396 SigGroupBuild(de_ctx);
4397 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4398
4399 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4400 if (PacketAlertCheck(p, 1))
4401 result = 1;
4402
4403 SigGroupCleanup(de_ctx);
4404 SigCleanSignatures(de_ctx);
4405
4406 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4407 DetectEngineCtxFree(de_ctx);
4408 end:
4409 UTHFreePackets(&p, 1);
4410 return result;
4411 }
4412
SigTestDetectAlertCounter(void)4413 static int SigTestDetectAlertCounter(void)
4414 {
4415 Packet *p = NULL;
4416 ThreadVars tv;
4417 DetectEngineThreadCtx *det_ctx = NULL;
4418 memset(&tv, 0, sizeof(tv));
4419
4420 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4421 FAIL_IF_NULL(de_ctx);
4422 de_ctx->flags |= DE_QUIET;
4423
4424 de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Test counter\"; "
4425 "content:\"boo\"; sid:1;)");
4426 FAIL_IF(de_ctx->sig_list == NULL);
4427
4428 SigGroupBuild(de_ctx);
4429 strlcpy(tv.name, "detect_test", sizeof(tv.name));
4430 DetectEngineThreadCtxInit(&tv, de_ctx, (void *)&det_ctx);
4431 /* init counters */
4432 StatsSetupPrivate(&tv);
4433
4434 p = UTHBuildPacket((uint8_t *)"boo", strlen("boo"), IPPROTO_TCP);
4435 Detect(&tv, p, det_ctx);
4436 FAIL_IF_NOT(StatsGetLocalCounterValue(&tv, det_ctx->counter_alerts) == 1);
4437
4438 Detect(&tv, p, det_ctx);
4439 FAIL_IF_NOT(StatsGetLocalCounterValue(&tv, det_ctx->counter_alerts) == 2);
4440 UTHFreePackets(&p, 1);
4441
4442 p = UTHBuildPacket((uint8_t *)"roo", strlen("roo"), IPPROTO_TCP);
4443 Detect(&tv, p, det_ctx);
4444 FAIL_IF_NOT(StatsGetLocalCounterValue(&tv, det_ctx->counter_alerts) == 2);
4445 UTHFreePackets(&p, 1);
4446
4447 p = UTHBuildPacket((uint8_t *)"laboosa", strlen("laboosa"), IPPROTO_TCP);
4448 Detect(&tv, p, det_ctx);
4449 FAIL_IF_NOT(StatsGetLocalCounterValue(&tv, det_ctx->counter_alerts) == 3);
4450 UTHFreePackets(&p, 1);
4451
4452 DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
4453 DetectEngineCtxFree(de_ctx);
4454 PASS;
4455 }
4456
4457 /** \test test if the engine set flag to drop pkts of a flow that
4458 * triggered a drop action on IPS mode */
SigTestDropFlow01(void)4459 static int SigTestDropFlow01(void)
4460 {
4461 int result = 0;
4462 Flow f;
4463 HtpState *http_state = NULL;
4464 uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4465 "User-Agent: Mozilla/1.0\r\n"
4466 "Cookie: hellocatch\r\n\r\n";
4467 uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4468 TcpSession ssn;
4469 Packet *p = NULL;
4470 Signature *s = NULL;
4471 ThreadVars tv;
4472 DetectEngineThreadCtx *det_ctx = NULL;
4473 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4474
4475 memset(&tv, 0, sizeof(ThreadVars));
4476 memset(&f, 0, sizeof(Flow));
4477 memset(&ssn, 0, sizeof(TcpSession));
4478
4479 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4480
4481 FLOW_INITIALIZE(&f);
4482 f.protoctx = (void *)&ssn;
4483 f.proto = IPPROTO_TCP;
4484 f.flags |= FLOW_IPV4;
4485
4486 p->flow = &f;
4487 p->flowflags |= FLOW_PKT_TOSERVER;
4488 p->flowflags |= FLOW_PKT_ESTABLISHED;
4489 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4490 f.alproto = ALPROTO_HTTP;
4491
4492 StreamTcpInitConfig(TRUE);
4493
4494 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4495 if (de_ctx == NULL) {
4496 goto end;
4497 }
4498 de_ctx->flags |= DE_QUIET;
4499
4500 s = de_ctx->sig_list = SigInit(de_ctx, "drop http any any -> any any "
4501 "(msg:\"Test proto match\"; "
4502 "sid:1;)");
4503 if (s == NULL) {
4504 goto end;
4505 }
4506
4507 SigGroupBuild(de_ctx);
4508 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4509
4510 FLOWLOCK_WRLOCK(&f);
4511 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
4512 STREAM_TOSERVER, http_buf1, http_buf1_len);
4513 if (r != 0) {
4514 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4515 FLOWLOCK_UNLOCK(&f);
4516 goto end;
4517 }
4518 FLOWLOCK_UNLOCK(&f);
4519
4520 http_state = f.alstate;
4521 if (http_state == NULL) {
4522 printf("no http state: ");
4523 goto end;
4524 }
4525
4526 /* do detect */
4527 SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4528
4529 if (!PacketAlertCheck(p, 1)) {
4530 printf("sig 1 didn't alert, but it should: ");
4531 goto end;
4532 }
4533
4534 if ( !(p->flow->flags & FLOW_ACTION_DROP)) {
4535 printf("sig 1 alerted but flow was not flagged correctly: ");
4536 goto end;
4537 }
4538
4539 /* Ok, now we know that the flag is set for proto http */
4540
4541 result = 1;
4542
4543 end:
4544 if (alp_tctx != NULL)
4545 AppLayerParserThreadCtxFree(alp_tctx);
4546 if (det_ctx != NULL)
4547 DetectEngineThreadCtxDeinit(&tv, det_ctx);
4548 if (de_ctx != NULL)
4549 SigGroupCleanup(de_ctx);
4550 if (de_ctx != NULL)
4551 DetectEngineCtxFree(de_ctx);
4552
4553 StreamTcpFreeConfig(TRUE);
4554 FLOW_DESTROY(&f);
4555
4556 UTHFreePackets(&p, 1);
4557 return result;
4558 }
4559
4560 /** \test test if the engine set flag to drop pkts of a flow that
4561 * triggered a drop action on IPS mode */
SigTestDropFlow02(void)4562 static int SigTestDropFlow02(void)
4563 {
4564 int result = 0;
4565 Flow f;
4566 HtpState *http_state = NULL;
4567 uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4568 "User-Agent: Mozilla/1.0\r\n"
4569 "Cookie: hellocatch\r\n\r\n";
4570 uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4571 TcpSession ssn;
4572 Packet *p = NULL;
4573 Signature *s = NULL;
4574 ThreadVars tv;
4575 DetectEngineThreadCtx *det_ctx = NULL;
4576 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4577
4578 memset(&tv, 0, sizeof(ThreadVars));
4579 memset(&f, 0, sizeof(Flow));
4580 memset(&ssn, 0, sizeof(TcpSession));
4581
4582 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4583
4584 FLOW_INITIALIZE(&f);
4585 f.protoctx = (void *)&ssn;
4586 f.proto = IPPROTO_TCP;
4587 f.flags |= FLOW_IPV4;
4588
4589 p->flow = &f;
4590 p->flowflags |= FLOW_PKT_TOSERVER;
4591 p->flowflags |= FLOW_PKT_ESTABLISHED;
4592 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4593 f.alproto = ALPROTO_HTTP;
4594
4595 StreamTcpInitConfig(TRUE);
4596
4597 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4598 if (de_ctx == NULL) {
4599 goto end;
4600 }
4601 de_ctx->flags |= DE_QUIET;
4602
4603 s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4604 "(msg:\"Test proto match\"; uricontent:\"one\";"
4605 "sid:1;)");
4606 if (s == NULL) {
4607 goto end;
4608 }
4609
4610 SigGroupBuild(de_ctx);
4611 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4612
4613 FLOWLOCK_WRLOCK(&f);
4614 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
4615 STREAM_TOSERVER, http_buf1, http_buf1_len);
4616 if (r != 0) {
4617 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4618 FLOWLOCK_UNLOCK(&f);
4619 goto end;
4620 }
4621 FLOWLOCK_UNLOCK(&f);
4622
4623 http_state = f.alstate;
4624 if (http_state == NULL) {
4625 printf("no http state: ");
4626 goto end;
4627 }
4628
4629 /* do detect */
4630 SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4631
4632 if (!PacketAlertCheck(p, 1)) {
4633 printf("sig 1 didn't alert, but it should: ");
4634 goto end;
4635 }
4636
4637 if ( !(p->flow->flags & FLOW_ACTION_DROP)) {
4638 printf("sig 1 alerted but flow was not flagged correctly: ");
4639 goto end;
4640 }
4641
4642 /* Ok, now we know that the flag is set for app layer sigs
4643 * (ex: inspecting uricontent) */
4644
4645 result = 1;
4646
4647 end:
4648 if (alp_tctx != NULL)
4649 AppLayerParserThreadCtxFree(alp_tctx);
4650 if (det_ctx != NULL)
4651 DetectEngineThreadCtxDeinit(&tv, det_ctx);
4652 if (de_ctx != NULL)
4653 SigGroupCleanup(de_ctx);
4654 if (de_ctx != NULL)
4655 DetectEngineCtxFree(de_ctx);
4656
4657 StreamTcpFreeConfig(TRUE);
4658 FLOW_DESTROY(&f);
4659
4660 UTHFreePackets(&p, 1);
4661 return result;
4662 }
4663
4664 /** \test test if the engine set flag to drop pkts of a flow that
4665 * triggered a drop action on IPS mode, and it doesn't inspect
4666 * any other packet of the stream */
SigTestDropFlow03(void)4667 static int SigTestDropFlow03(void)
4668 {
4669 int result = 0;
4670 Flow f;
4671 HtpState *http_state = NULL;
4672 uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4673 "User-Agent: Mozilla/1.0\r\n"
4674 "Cookie: hellocatch\r\n\r\n";
4675 uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4676
4677 uint8_t http_buf2[] = "POST /two HTTP/1.0\r\n"
4678 "User-Agent: Mozilla/1.0\r\n"
4679 "Cookie: hellocatch\r\n\r\n";
4680 uint32_t http_buf2_len = sizeof(http_buf1) - 1;
4681
4682 /* Set the engine mode to IPS */
4683 EngineModeSetIPS();
4684
4685 TcpSession ssn;
4686 Packet *p1 = NULL;
4687 Packet *p2 = NULL;
4688 Signature *s = NULL;
4689 ThreadVars tv;
4690 DetectEngineThreadCtx *det_ctx = NULL;
4691 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4692
4693 memset(&tv, 0, sizeof(ThreadVars));
4694 memset(&f, 0, sizeof(Flow));
4695 memset(&ssn, 0, sizeof(TcpSession));
4696
4697 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4698 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4699
4700 FLOW_INITIALIZE(&f);
4701 f.protoctx = (void *)&ssn;
4702 f.proto = IPPROTO_TCP;
4703 f.flags |= FLOW_IPV4;
4704
4705 p1->flow = &f;
4706 p1->flowflags |= FLOW_PKT_TOSERVER;
4707 p1->flowflags |= FLOW_PKT_ESTABLISHED;
4708 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4709
4710 p2->flow = &f;
4711 p2->flowflags |= FLOW_PKT_TOSERVER;
4712 p2->flowflags |= FLOW_PKT_ESTABLISHED;
4713 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4714 f.alproto = ALPROTO_HTTP;
4715
4716 StreamTcpInitConfig(TRUE);
4717
4718 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4719 if (de_ctx == NULL) {
4720 goto end;
4721 }
4722
4723 de_ctx->flags |= DE_QUIET;
4724
4725 s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4726 "(msg:\"Test proto match\"; uricontent:\"one\";"
4727 "sid:1;)");
4728 if (s == NULL) {
4729 goto end;
4730 }
4731
4732 /* the no inspection flag should be set after the first sig gets triggered,
4733 * so the second packet should not match the next sig (because of no inspection) */
4734 s = de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any 80 "
4735 "(msg:\"Test proto match\"; uricontent:\"two\";"
4736 "sid:2;)");
4737 if (s == NULL) {
4738 goto end;
4739 }
4740
4741 SigGroupBuild(de_ctx);
4742 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4743
4744 FLOWLOCK_WRLOCK(&f);
4745 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
4746 STREAM_TOSERVER, http_buf1, http_buf1_len);
4747 if (r != 0) {
4748 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4749 FLOWLOCK_UNLOCK(&f);
4750 goto end;
4751 }
4752 FLOWLOCK_UNLOCK(&f);
4753
4754 http_state = f.alstate;
4755 if (http_state == NULL) {
4756 printf("no http state: ");
4757 goto end;
4758 }
4759
4760 /* do detect */
4761 SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4762
4763 if (!PacketAlertCheck(p1, 1)) {
4764 printf("sig 1 didn't alert on p1, but it should: ");
4765 goto end;
4766 }
4767
4768 if ( !(p1->flow->flags & FLOW_ACTION_DROP)) {
4769 printf("sig 1 alerted but flow was not flagged correctly: ");
4770 goto end;
4771 }
4772
4773 /* Second part.. Let's feed with another packet */
4774 if (StreamTcpCheckFlowDrops(p2) == 1) {
4775 SCLogDebug("This flow/stream triggered a drop rule");
4776 FlowSetNoPacketInspectionFlag(p2->flow);
4777 DecodeSetNoPacketInspectionFlag(p2);
4778 StreamTcpDisableAppLayer(p2->flow);
4779 p2->action |= ACTION_DROP;
4780 /* return the segments to the pool */
4781 StreamTcpSessionPktFree(p2);
4782 }
4783
4784
4785 if ( !(p2->flags & PKT_NOPACKET_INSPECTION)) {
4786 printf("The packet was not flagged with no-inspection: ");
4787 goto end;
4788 }
4789
4790 FLOWLOCK_WRLOCK(&f);
4791 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
4792 STREAM_TOSERVER, http_buf2, http_buf2_len);
4793 if (r != 0) {
4794 printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
4795 FLOWLOCK_UNLOCK(&f);
4796 goto end;
4797 }
4798 FLOWLOCK_UNLOCK(&f);
4799
4800 /* do detect */
4801 SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
4802
4803 if (PacketAlertCheck(p2, 1)) {
4804 printf("sig 1 alerted, but it should not since the no pkt inspection should be set: ");
4805 goto end;
4806 }
4807
4808 if (PacketAlertCheck(p2, 2)) {
4809 printf("sig 2 alerted, but it should not since the no pkt inspection should be set: ");
4810 goto end;
4811 }
4812
4813 if ( !(PACKET_TEST_ACTION(p2, ACTION_DROP))) {
4814 printf("A \"drop\" action should be set from the flow to the packet: ");
4815 goto end;
4816 }
4817
4818 result = 1;
4819
4820 end:
4821 if (alp_tctx != NULL)
4822 AppLayerParserThreadCtxFree(alp_tctx);
4823 if (det_ctx != NULL)
4824 DetectEngineThreadCtxDeinit(&tv, det_ctx);
4825 if (de_ctx != NULL)
4826 SigGroupCleanup(de_ctx);
4827 if (de_ctx != NULL)
4828 DetectEngineCtxFree(de_ctx);
4829
4830 StreamTcpFreeConfig(TRUE);
4831 FLOW_DESTROY(&f);
4832
4833 UTHFreePackets(&p1, 1);
4834 UTHFreePackets(&p2, 1);
4835
4836 /* Restore mode to IDS */
4837 EngineModeSetIDS();
4838 return result;
4839 }
4840
4841 /** \test test if the engine set flag to drop pkts of a flow that
4842 * triggered a drop action on IDS mode, but continue the inspection
4843 * as usual (instead of on IPS mode) */
SigTestDropFlow04(void)4844 static int SigTestDropFlow04(void)
4845 {
4846 int result = 0;
4847 Flow f;
4848 HtpState *http_state = NULL;
4849 uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4850 "User-Agent: Mozilla/1.0\r\n"
4851 "Cookie: hellocatch\r\n\r\n";
4852 uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4853
4854 uint8_t http_buf2[] = "POST /two HTTP/1.0\r\n"
4855 "User-Agent: Mozilla/1.0\r\n"
4856 "Cookie: hellocatch\r\n\r\n";
4857 uint32_t http_buf2_len = sizeof(http_buf1) - 1;
4858
4859 TcpSession ssn;
4860 Packet *p1 = NULL;
4861 Packet *p2 = NULL;
4862 Signature *s = NULL;
4863 ThreadVars tv;
4864 DetectEngineThreadCtx *det_ctx = NULL;
4865 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4866
4867 memset(&tv, 0, sizeof(ThreadVars));
4868 memset(&f, 0, sizeof(Flow));
4869 memset(&ssn, 0, sizeof(TcpSession));
4870
4871 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4872 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4873
4874 FLOW_INITIALIZE(&f);
4875 f.protoctx = (void *)&ssn;
4876 f.proto = IPPROTO_TCP;
4877 f.flags |= FLOW_IPV4;
4878
4879 p1->flow = &f;
4880 p1->flowflags |= FLOW_PKT_TOSERVER;
4881 p1->flowflags |= FLOW_PKT_ESTABLISHED;
4882 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4883
4884 p2->flow = &f;
4885 p2->flowflags |= FLOW_PKT_TOSERVER;
4886 p2->flowflags |= FLOW_PKT_ESTABLISHED;
4887 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4888 f.alproto = ALPROTO_HTTP;
4889
4890 StreamTcpInitConfig(TRUE);
4891
4892 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4893 if (de_ctx == NULL) {
4894 goto end;
4895 }
4896 de_ctx->flags |= DE_QUIET;
4897
4898 s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4899 "(msg:\"Test proto match\"; uricontent:\"one\";"
4900 "sid:1;)");
4901 if (s == NULL) {
4902 goto end;
4903 }
4904
4905 /* the no inspection flag should be set after the first sig gets triggered,
4906 * so the second packet should not match the next sig (because of no inspection) */
4907 s = de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any 80 "
4908 "(msg:\"Test proto match\"; uricontent:\"two\";"
4909 "sid:2;)");
4910 if (s == NULL) {
4911 goto end;
4912 }
4913
4914 SigGroupBuild(de_ctx);
4915 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4916
4917 FLOWLOCK_WRLOCK(&f);
4918 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
4919 STREAM_TOSERVER, http_buf1, http_buf1_len);
4920 if (r != 0) {
4921 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4922 FLOWLOCK_UNLOCK(&f);
4923 goto end;
4924 }
4925 FLOWLOCK_UNLOCK(&f);
4926
4927 http_state = f.alstate;
4928 if (http_state == NULL) {
4929 printf("no http state: ");
4930 goto end;
4931 }
4932
4933 /* do detect */
4934 SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4935
4936 if (!PacketAlertCheck(p1, 1)) {
4937 printf("sig 1 didn't alert on p1, but it should: ");
4938 goto end;
4939 }
4940
4941 if (PacketAlertCheck(p1, 2)) {
4942 printf("sig 2 alerted on p1, but it should not: ");
4943 goto end;
4944 }
4945
4946 if ( !(p1->flow->flags & FLOW_ACTION_DROP)) {
4947 printf("sig 1 alerted but flow was not flagged correctly: ");
4948 goto end;
4949 }
4950
4951 if (!(PACKET_TEST_ACTION(p1, ACTION_DROP))) {
4952 printf("A \"drop\" action was set from the flow to the packet "
4953 "which is right, but setting the flag shouldn't disable "
4954 "inspection on the packet in IDS mode");
4955 goto end;
4956 }
4957
4958 /* Second part.. Let's feed with another packet */
4959 if (StreamTcpCheckFlowDrops(p2) == 1) {
4960 FlowSetNoPacketInspectionFlag(p2->flow);
4961 DecodeSetNoPacketInspectionFlag(p2);
4962 StreamTcpDisableAppLayer(p2->flow);
4963 p2->action |= ACTION_DROP;
4964 /* return the segments to the pool */
4965 StreamTcpSessionPktFree(p2);
4966 }
4967
4968 if ( (p2->flags & PKT_NOPACKET_INSPECTION)) {
4969 printf("The packet was flagged with no-inspection but we are not on IPS mode: ");
4970 goto end;
4971 }
4972
4973 FLOWLOCK_WRLOCK(&f);
4974 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
4975 STREAM_TOSERVER, http_buf2, http_buf2_len);
4976 if (r != 0) {
4977 printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
4978 FLOWLOCK_UNLOCK(&f);
4979 goto end;
4980 }
4981 FLOWLOCK_UNLOCK(&f);
4982
4983 /* do detect */
4984 SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
4985
4986 if (PacketAlertCheck(p2, 1)) {
4987 printf("sig 1 alerted, but it should not: ");
4988 goto end;
4989 }
4990
4991 if (!PacketAlertCheck(p2, 2)) {
4992 printf("sig 2 didn't alert, but it should, since we are not on IPS mode: ");
4993 goto end;
4994 }
4995
4996 if (!(PACKET_TEST_ACTION(p2, ACTION_DROP))) {
4997 printf("A \"drop\" action was set from the flow to the packet "
4998 "which is right, but setting the flag shouldn't disable "
4999 "inspection on the packet in IDS mode");
5000 goto end;
5001 }
5002
5003 result = 1;
5004
5005 end:
5006 if (alp_tctx != NULL)
5007 AppLayerParserThreadCtxFree(alp_tctx);
5008 if (det_ctx != NULL)
5009 DetectEngineThreadCtxDeinit(&tv, det_ctx);
5010 if (de_ctx != NULL)
5011 SigGroupCleanup(de_ctx);
5012 if (de_ctx != NULL)
5013 DetectEngineCtxFree(de_ctx);
5014
5015 StreamTcpFreeConfig(TRUE);
5016 FLOW_DESTROY(&f);
5017
5018 UTHFreePackets(&p1, 1);
5019 UTHFreePackets(&p2, 1);
5020
5021 return result;
5022 }
5023
5024 /** \test ICMP packet shouldn't be matching port based sig
5025 * Bug #611 */
SigTestPorts01(void)5026 static int SigTestPorts01(void)
5027 {
5028 int result = 0;
5029 Packet *p1 = NULL;
5030 Signature *s = NULL;
5031 ThreadVars tv;
5032 DetectEngineThreadCtx *det_ctx = NULL;
5033 uint8_t payload[] = "AAAAAAAAAAAAAAAAAA";
5034
5035 memset(&tv, 0, sizeof(ThreadVars));
5036
5037 p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_ICMP);
5038
5039 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5040 if (de_ctx == NULL) {
5041 goto end;
5042 }
5043 de_ctx->flags |= DE_QUIET;
5044
5045 s = de_ctx->sig_list = SigInit(de_ctx, "alert ip any any -> any 80 "
5046 "(content:\"AAA\"; sid:1;)");
5047 if (s == NULL) {
5048 goto end;
5049 }
5050
5051 SigGroupBuild(de_ctx);
5052 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
5053
5054 /* do detect */
5055 SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
5056
5057 if (PacketAlertCheck(p1, 1)) {
5058 printf("sig 1 alerted on p1, but it should not: ");
5059 goto end;
5060 }
5061
5062 result = 1;
5063 end:
5064 if (det_ctx != NULL)
5065 DetectEngineThreadCtxDeinit(&tv, det_ctx);
5066 if (de_ctx != NULL)
5067 SigGroupCleanup(de_ctx);
5068 if (de_ctx != NULL)
5069 DetectEngineCtxFree(de_ctx);
5070
5071 UTHFreePackets(&p1, 1);
5072 return result;
5073 }
5074
5075 /** \test almost identical patterns */
SigTestBug01(void)5076 static int SigTestBug01(void)
5077 {
5078 int result = 0;
5079 Packet *p1 = NULL;
5080 Signature *s = NULL;
5081 ThreadVars tv;
5082 DetectEngineThreadCtx *det_ctx = NULL;
5083 uint8_t payload[] = "!mymy";
5084
5085 memset(&tv, 0, sizeof(ThreadVars));
5086
5087 p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
5088
5089 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5090 if (de_ctx == NULL) {
5091 goto end;
5092 }
5093 de_ctx->flags |= DE_QUIET;
5094
5095 s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
5096 "(content:\"Omymy\"; nocase; sid:1;)");
5097 if (s == NULL) {
5098 goto end;
5099 }
5100 s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
5101 "(content:\"!mymy\"; nocase; sid:2;)");
5102 if (s == NULL) {
5103 goto end;
5104 }
5105
5106 SigGroupBuild(de_ctx);
5107 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
5108
5109 /* do detect */
5110 SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
5111
5112 if (PacketAlertCheck(p1, 1)) {
5113 printf("sig 1 alerted on p1, but it should not: ");
5114 goto end;
5115 }
5116 if (!(PacketAlertCheck(p1, 2))) {
5117 printf("sig 2 did not p1, but it should have: ");
5118 goto end;
5119 }
5120
5121 result = 1;
5122 end:
5123 if (det_ctx != NULL)
5124 DetectEngineThreadCtxDeinit(&tv, det_ctx);
5125 if (de_ctx != NULL)
5126 SigGroupCleanup(de_ctx);
5127 if (de_ctx != NULL)
5128 DetectEngineCtxFree(de_ctx);
5129
5130 UTHFreePackets(&p1, 1);
5131 return result;
5132 }
5133
5134 static const char *dummy_conf_string2 =
5135 "%YAML 1.1\n"
5136 "---\n"
5137 "vars:\n"
5138 "\n"
5139 " address-groups:\n"
5140 "\n"
5141 " HOME_NET: \"[10.10.10.0/24, !10.10.10.247]\"\n"
5142 "\n"
5143 " EXTERNAL_NET: \"any\"\n"
5144 "\n"
5145 " port-groups:\n"
5146 "\n"
5147 " HTTP_PORTS: \"80:81,88\"\n"
5148 "\n";
5149
DetectAddressYamlParsing01(void)5150 static int DetectAddressYamlParsing01 (void)
5151 {
5152 int result = 0;
5153
5154 ConfCreateContextBackup();
5155 ConfInit();
5156 ConfYamlLoadString(dummy_conf_string2, strlen(dummy_conf_string2));
5157
5158 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5159 if (de_ctx == NULL) {
5160 goto end;
5161 }
5162
5163 de_ctx->flags |= DE_QUIET;
5164
5165 if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
5166 goto end;
5167 if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
5168 goto end;
5169 if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5170 goto end;
5171
5172 result = 1;
5173
5174 DetectEngineCtxFree(de_ctx);
5175 end:
5176 ConfDeInit();
5177 ConfRestoreContextBackup();
5178 return result;
5179 }
5180
5181 static const char *dummy_conf_string3 =
5182 "%YAML 1.1\n"
5183 "---\n"
5184 "vars:\n"
5185 "\n"
5186 " address-groups:\n"
5187 "\n"
5188 " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
5189 "\n"
5190 " EXTERNAL_NET: \"any\"\n"
5191 "\n"
5192 " port-groups:\n"
5193 "\n"
5194 " HTTP_PORTS: \"80:81,88\"\n"
5195 "\n";
5196
DetectAddressYamlParsing02(void)5197 static int DetectAddressYamlParsing02 (void)
5198 {
5199 int result = 0;
5200
5201 ConfCreateContextBackup();
5202 ConfInit();
5203 ConfYamlLoadString(dummy_conf_string3, strlen(dummy_conf_string3));
5204
5205 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5206 if (de_ctx == NULL) {
5207 goto end;
5208 }
5209
5210 de_ctx->flags |= DE_QUIET;
5211
5212 if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
5213 goto end;
5214 if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
5215 goto end;
5216 if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5217 goto end;
5218
5219 result = 1;
5220
5221 DetectEngineCtxFree(de_ctx);
5222 end:
5223 ConfDeInit();
5224 ConfRestoreContextBackup();
5225 return result;
5226 }
5227
5228 static const char *dummy_conf_string4 =
5229 "%YAML 1.1\n"
5230 "---\n"
5231 "vars:\n"
5232 "\n"
5233 " address-groups:\n"
5234 "\n"
5235 " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
5236 "\n"
5237 " EXTERNAL_NET: \"any\"\n"
5238 "\n"
5239 " port-groups:\n"
5240 "\n"
5241 " HTTP_PORTS: \"80:81,88\"\n"
5242 "\n";
5243
DetectAddressYamlParsing03(void)5244 static int DetectAddressYamlParsing03 (void)
5245 {
5246 int result = 0;
5247
5248 ConfCreateContextBackup();
5249 ConfInit();
5250 ConfYamlLoadString(dummy_conf_string4, strlen(dummy_conf_string4));
5251
5252 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5253 if (de_ctx == NULL) {
5254 goto end;
5255 }
5256
5257 de_ctx->flags |= DE_QUIET;
5258
5259 if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
5260 goto end;
5261 if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
5262 goto end;
5263 if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5264 goto end;
5265
5266 result = 1;
5267
5268 DetectEngineCtxFree(de_ctx);
5269 end:
5270 ConfDeInit();
5271 ConfRestoreContextBackup();
5272 return result;
5273 }
5274
5275 static const char *dummy_conf_string5 =
5276 "%YAML 1.1\n"
5277 "---\n"
5278 "vars:\n"
5279 "\n"
5280 " address-groups:\n"
5281 "\n"
5282 " HOME_NET: \"[10.196.0.0/24, !10.196.0.15]\"\n"
5283 "\n"
5284 " EXTERNAL_NET: \"any\"\n"
5285 "\n"
5286 " port-groups:\n"
5287 "\n"
5288 " HTTP_PORTS: \"80:81,88\"\n"
5289 "\n";
5290
5291 /** \test bug #815 */
DetectAddressYamlParsing04(void)5292 static int DetectAddressYamlParsing04 (void)
5293 {
5294 int result = 0;
5295
5296 ConfCreateContextBackup();
5297 ConfInit();
5298 ConfYamlLoadString(dummy_conf_string5, strlen(dummy_conf_string5));
5299
5300 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
5301 if (de_ctx == NULL) {
5302 goto end;
5303 }
5304
5305 de_ctx->flags |= DE_QUIET;
5306
5307 if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
5308 goto end;
5309 if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
5310 goto end;
5311 if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5312 goto end;
5313
5314 result = 1;
5315
5316 DetectEngineCtxFree(de_ctx);
5317 end:
5318 ConfDeInit();
5319 ConfRestoreContextBackup();
5320 return result;
5321 }
5322
SigRegisterTests(void)5323 void SigRegisterTests(void)
5324 {
5325 SigParseRegisterTests();
5326 IPOnlyRegisterTests();
5327
5328 UtRegisterTest("SigTest01", SigTest01);
5329 UtRegisterTest("SigTest02 -- Offset/Depth match", SigTest02);
5330 UtRegisterTest("SigTest03 -- offset/depth mismatch", SigTest03);
5331 UtRegisterTest("SigTest04 -- distance/within match", SigTest04);
5332 UtRegisterTest("SigTest05 -- distance/within mismatch", SigTest05);
5333 UtRegisterTest("SigTest06 -- uricontent HTTP/1.1 match test", SigTest06);
5334 UtRegisterTest("SigTest07 -- uricontent HTTP/1.1 mismatch test",
5335 SigTest07);
5336 UtRegisterTest("SigTest08 -- uricontent HTTP/1.0 match test", SigTest08);
5337 UtRegisterTest("SigTest09 -- uricontent HTTP/1.0 mismatch test",
5338 SigTest09);
5339 UtRegisterTest("SigTest10 -- long content match, longer than pkt",
5340 SigTest10);
5341 UtRegisterTest("SigTest11 -- mpm searching", SigTest11);
5342 UtRegisterTest("SigTest12 -- content order matching, normal", SigTest12);
5343 UtRegisterTest("SigTest13 -- content order matching, diff order",
5344 SigTest13);
5345 UtRegisterTest("SigTest14 -- content order matching, distance 0",
5346 SigTest14);
5347 UtRegisterTest("SigTest15 -- port negation sig (no match)", SigTest15);
5348 UtRegisterTest("SigTest16 -- port negation sig (match)", SigTest16);
5349 UtRegisterTest("SigTest17 -- HTTP Host Pkt var capture", SigTest17);
5350 UtRegisterTest("SigTest18 -- Ftp negation sig test", SigTest18);
5351 UtRegisterTest("SigTest19 -- IP-ONLY test (1)", SigTest19);
5352 UtRegisterTest("SigTest20 -- IP-ONLY test (2)", SigTest20);
5353 UtRegisterTest("SigTest21 -- FLOWBIT test (1)", SigTest21);
5354 UtRegisterTest("SigTest22 -- FLOWBIT test (2)", SigTest22);
5355 UtRegisterTest("SigTest23 -- FLOWBIT test (3)", SigTest23);
5356
5357 UtRegisterTest("SigTest24IPV4Keyword", SigTest24IPV4Keyword);
5358 UtRegisterTest("SigTest25NegativeIPV4Keyword",
5359 SigTest25NegativeIPV4Keyword);
5360
5361 UtRegisterTest("SigTest26TCPV4Keyword", SigTest26TCPV4Keyword);
5362 UtRegisterTest("SigTest26TCPV4AndNegativeIPV4Keyword",
5363 SigTest26TCPV4AndNegativeIPV4Keyword);
5364 UtRegisterTest("SigTest26TCPV4AndIPV4Keyword",
5365 SigTest26TCPV4AndIPV4Keyword);
5366 UtRegisterTest("SigTest27NegativeTCPV4Keyword",
5367 SigTest27NegativeTCPV4Keyword);
5368
5369 UtRegisterTest("SigTest28TCPV6Keyword", SigTest28TCPV6Keyword);
5370 UtRegisterTest("SigTest29NegativeTCPV6Keyword",
5371 SigTest29NegativeTCPV6Keyword);
5372
5373 UtRegisterTest("SigTest30UDPV4Keyword", SigTest30UDPV4Keyword);
5374 UtRegisterTest("SigTest31NegativeUDPV4Keyword",
5375 SigTest31NegativeUDPV4Keyword);
5376
5377 UtRegisterTest("SigTest32UDPV6Keyword", SigTest32UDPV6Keyword);
5378 UtRegisterTest("SigTest33NegativeUDPV6Keyword",
5379 SigTest33NegativeUDPV6Keyword);
5380
5381 UtRegisterTest("SigTest34ICMPV4Keyword", SigTest34ICMPV4Keyword);
5382 UtRegisterTest("SigTest35NegativeICMPV4Keyword",
5383 SigTest35NegativeICMPV4Keyword);
5384 UtRegisterTest("SigTest36ContentAndIsdataatKeywords01",
5385 SigTest36ContentAndIsdataatKeywords01);
5386 UtRegisterTest("SigTest37ContentAndIsdataatKeywords02",
5387 SigTest37ContentAndIsdataatKeywords02);
5388
5389 UtRegisterTest("SigTest38 -- byte_test test (1)", SigTest38);
5390
5391 UtRegisterTest("SigTest39 -- byte_jump test (2)", SigTest39);
5392
5393 UtRegisterTest("SigTest40NoPacketInspection01",
5394 SigTest40NoPacketInspection01);
5395 UtRegisterTest("SigTest40NoPayloadInspection02",
5396 SigTest40NoPayloadInspection02);
5397
5398 UtRegisterTest("SigTestMemory01", SigTestMemory01);
5399 UtRegisterTest("SigTestMemory02", SigTestMemory02);
5400 UtRegisterTest("SigTestMemory03", SigTestMemory03);
5401
5402 UtRegisterTest("SigTestContent01 -- 32 byte pattern", SigTestContent01);
5403 UtRegisterTest("SigTestContent02 -- 32+31 byte pattern", SigTestContent02);
5404 UtRegisterTest("SigTestContent03 -- 32 byte pattern, x2 + distance",
5405 SigTestContent03);
5406 UtRegisterTest("SigTestContent04 -- 32 byte pattern, x2 + distance/within",
5407 SigTestContent04);
5408 UtRegisterTest("SigTestContent05 -- distance/within", SigTestContent05);
5409 UtRegisterTest("SigTestContent06 -- distance/within ip only",
5410 SigTestContent06);
5411
5412 UtRegisterTest("SigTestWithinReal01", SigTestWithin01);
5413 UtRegisterTest("SigTestDepthOffset01", SigTestDepthOffset01);
5414
5415 UtRegisterTest("SigTestDetectAlertCounter", SigTestDetectAlertCounter);
5416
5417 UtRegisterTest("SigTestDropFlow01", SigTestDropFlow01);
5418 UtRegisterTest("SigTestDropFlow02", SigTestDropFlow02);
5419 UtRegisterTest("SigTestDropFlow03", SigTestDropFlow03);
5420 UtRegisterTest("SigTestDropFlow04", SigTestDropFlow04);
5421
5422 UtRegisterTest("DetectAddressYamlParsing01", DetectAddressYamlParsing01);
5423 UtRegisterTest("DetectAddressYamlParsing02", DetectAddressYamlParsing02);
5424 UtRegisterTest("DetectAddressYamlParsing03", DetectAddressYamlParsing03);
5425 UtRegisterTest("DetectAddressYamlParsing04", DetectAddressYamlParsing04);
5426
5427 UtRegisterTest("SigTestPorts01", SigTestPorts01);
5428 UtRegisterTest("SigTestBug01", SigTestBug01);
5429
5430 DetectEngineContentInspectionRegisterTests();
5431 }
5432 #endif /* UNITTESTS */
5433