static int DetectMsgParseTest01(void) { int result = 0; Signature *sig = NULL; char *teststringparsed = "flow stateless to_server"; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) goto end; SCClassConfGenerateValidDummyClassConfigFD01(); SCClassConfLoadClassficationConfigFile(de_ctx); SCClassConfDeleteDummyClassificationConfigFD(); sig = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"flow stateless to_server\"; flow:stateless,to_server; content:\"flowstatelesscheck\"; classtype:bad-unknown; sid: 40000002; rev: 1;)"); if(sig == NULL) goto end; if (strcmp(sig->msg, teststringparsed) != 0) { printf("got \"%s\", expected: \"%s\": ", sig->msg, teststringparsed); goto end; } result = 1; end: if (sig != NULL) SigFree(sig); if (de_ctx != NULL) DetectEngineCtxFree(de_ctx); return result; }
static int DetectMsgParseTest02(void) { int result = 0; Signature *sig = NULL; char *teststringparsed = "msg escape tests wxy'\"\\;:"; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) goto end; sig = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"msg escape tests \\w\\x\\y\\'\\\"\\\\;\\:\"; flow:to_server,established; content:\"blah\"; uricontent:\"/blah/\"; sid: 100;)"); if(sig == NULL) goto end; if (strcmp(sig->msg, teststringparsed) != 0) { printf("got \"%s\", expected: \"%s\": ",sig->msg, teststringparsed); goto end; } result = 1; end: if (sig != NULL) SigFree(sig); if (de_ctx != NULL) DetectEngineCtxFree(de_ctx); return result; }
/** * \test Test dce option. */ int DetectBytejumpTestParse09(void) { Signature *s = SigAlloc(); if (s == NULL) return 0; int result = 1; s->alproto = ALPROTO_DCERPC; result &= (DetectBytejumpSetup(NULL, s, "4,0, align, multiplier 2, " "post_offset -16,dce") == 0); result &= (DetectBytejumpSetup(NULL, s, "4,0, multiplier 2, " "post_offset -16,dce") == 0); result &= (DetectBytejumpSetup(NULL, s, "4,0,post_offset -16,dce") == 0); result &= (DetectBytejumpSetup(NULL, s, "4,0,dce") == 0); result &= (DetectBytejumpSetup(NULL, s, "4,0,dce") == 0); result &= (DetectBytejumpSetup(NULL, s, "4,0, string, dce") == -1); result &= (DetectBytejumpSetup(NULL, s, "4,0, big, dce") == -1); result &= (DetectBytejumpSetup(NULL, s, "4,0, little, dce") == -1); result &= (DetectBytejumpSetup(NULL, s, "4,0, string, dec, dce") == -1); result &= (DetectBytejumpSetup(NULL, s, "4,0, string, oct, dce") == -1); result &= (DetectBytejumpSetup(NULL, s, "4,0, string, hex, dce") == -1); result &= (DetectBytejumpSetup(NULL, s, "4,0, from_beginning, dce") == -1); result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); SigFree(s); return result; }
/** * \test Check that Signatures with invalid address and port groups, are * are invalidated by the Singature parsing API. */ int SCRuleVarsNegativeTest04(void) { int result = 0; Signature *s = NULL; DetectEngineCtx *de_ctx = NULL; ConfCreateContextBackup(); ConfInit(); ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string)); if ( (de_ctx = DetectEngineCtxInit()) == NULL) goto end; de_ctx->flags |= DE_QUIET; s = SigInit(de_ctx, "alert tcp $HTTP_SERVER any -> any any (msg:\"Rule Vars Test\"; sid:1;)"); if (s != NULL) goto end; s = SigInit(de_ctx, "alert tcp $http_servers any -> any any (msg:\"Rule Vars Test\"; sid:1;)"); if (s != NULL) goto end; SigFree(s); s = SigInit(de_ctx, "alert tcp $http_servers any -> any $HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)"); if (s != NULL) goto end; SigFree(s); s = SigInit(de_ctx, "alert tcp !$TELNET_SERVERS !80 -> any !$SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)"); if (s != NULL) goto end; SigFree(s); result = 1; end: ConfDeInit(); ConfRestoreContextBackup(); if (de_ctx != NULL) DetectEngineCtxFree(de_ctx); return result; }
/** * \test Test isdataat option for dce sig. */ int DetectIsdataatTestParse04(void) { Signature *s = SigAlloc(); int result = 1; s->alproto = ALPROTO_DCERPC; result &= (DetectIsdataatSetup(NULL, s, "30") == 0); result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL); SigFree(s); s = SigAlloc(); s->alproto = ALPROTO_DCERPC; /* failure since we have no preceding content/pcre/bytejump */ result &= (DetectIsdataatSetup(NULL, s, "30,relative") == 0); result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL); SigFree(s); return result; }
/** * \test DetectFtpbounceTestSetup01 is a test for the Setup ftpbounce */ static int DetectFtpbounceTestSetup01(void) { DetectEngineCtx *de_ctx = NULL; Signature *s = SigAlloc(); FAIL_IF (s == NULL); /* ftpbounce doesn't accept options so the str is NULL */ FAIL_IF_NOT(DetectFtpbounceSetup(de_ctx, s, NULL) == 0); FAIL_IF(s->sm_lists[g_ftp_request_list_id] == NULL); FAIL_IF_NOT(s->sm_lists[g_ftp_request_list_id]->type & DETECT_FTPBOUNCE); SigFree(s); PASS; }
/** * \test DetectFtpbounceTestSetup01 is a test for the Setup ftpbounce */ int DetectFtpbounceTestSetup01(void) { int res = 0; DetectEngineCtx *de_ctx = NULL; Signature *s = SigAlloc(); if (s == NULL) return 0; /* ftpbounce doesn't accept options so the str is NULL */ res = !DetectFtpbounceSetup(de_ctx, s, NULL); res &= s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL && s->sm_lists[DETECT_SM_LIST_AMATCH]->type & DETECT_FTPBOUNCE; SigFree(s); return res; }
/** * \test Test dce option. */ static int DetectBytetestTestParse19(void) { Signature *s = SigAlloc(); if (s == NULL) return 0; int result = 1; s->alproto = ALPROTO_DCERPC; result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,dce") == 0); result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,string,dce") == -1); result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,big,dce") == -1); result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,little,dce") == -1); result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,hex,dce") == -1); result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,oct,dce") == -1); result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,dec,dce") == -1); SigFree(s); return result; }
/** * \test Check that Signatures with valid address and port groups are parsed * without any errors by the Signature parsing API. */ int SCRuleVarsPositiveTest03(void) { int result = 0; Signature *s = NULL; DetectEngineCtx *de_ctx = NULL; ConfCreateContextBackup(); ConfInit(); ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string)); if ( (de_ctx = DetectEngineCtxInit()) == NULL) goto end; de_ctx->flags |= DE_QUIET; /* s = SigInit(de_ctx, "alert tcp $HTTP_SERVERS any -> any any (msg:\"Rule Vars Test\"; sid:1;)"); if (s == NULL) goto end; SigFree(s); s = SigInit(de_ctx, "alert tcp $SMTP_SERVERS any -> $HTTP_SERVERS any (msg:\"Rule Vars Test\"; sid:1;)"); if (s == NULL) goto end; SigFree(s); s = SigInit(de_ctx, "alert tcp $AIM_SERVERS any -> $AIM_SERVERS any (msg:\"Rule Vars Test\"; sid:1;)"); if (s == NULL) goto end; SigFree(s); s = SigInit(de_ctx, "alert tcp $TELNET_SERVERS any -> any $SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)"); if (s == NULL) goto end; SigFree(s); s = SigInit(de_ctx, "alert tcp $TELNET_SERVERS any -> any !$SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)"); if (s == NULL) goto end; SigFree(s); s = SigInit(de_ctx, "alert tcp $TELNET_SERVERS 80 -> any !$SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)"); if (s == NULL) goto end; SigFree(s); s = SigInit(de_ctx, "alert tcp $TELNET_SERVERS !80 -> any !$SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)"); if (s == NULL) goto end; SigFree(s); s = SigInit(de_ctx, "alert tcp !$HTTP_SERVERS !80 -> any !$SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)"); if (s == NULL) goto end; SigFree(s); s = SigInit(de_ctx, "alert tcp 192.168.1.2 any -> any $HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)"); if (s == NULL) goto end; SigFree(s); s = SigInit(de_ctx, "alert tcp !192.168.1.2 any -> any $HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)"); if (s == NULL) goto end; SigFree(s); s = SigInit(de_ctx, "alert tcp !192.168.1.2 any -> any !$HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)"); if (s == NULL) goto end; SigFree(s); s = SigInit(de_ctx, "alert tcp !192.168.1.2 any -> !$HTTP_SERVERS !$HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)"); if (s == NULL) goto end; SigFree(s); s = SigInit(de_ctx, "alert tcp !192.168.1.2 $HTTP_PORTS -> !$HTTP_SERVERS !$HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)"); if (s == NULL) goto end; SigFree(s); s = SigInit(de_ctx, "alert tcp [!192.168.24.0/23,!167.12.0.0/24] any -> any $HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)"); if (s == NULL) goto end; SigFree(s); s = SigInit(de_ctx, "alert tcp ![192.168.24.0/23,!167.12.0.0/24] any -> any $HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)"); if (s == NULL) goto end; SigFree(s); s = SigInit(de_ctx, "alert tcp [$HOME_NET,!192.168.1.2] $HTTP_PORTS -> !$HTTP_SERVERS !$HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)"); if (s == NULL) goto end; SigFree(s); s = SigInit(de_ctx, "alert tcp [[192.168.1.3,$EXTERNAL_NET],192.168.2.5] $HTTP_PORTS -> !$HTTP_SERVERS !$HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)"); if (s == NULL) goto end; SigFree(s); s = SigInit(de_ctx, "alert tcp [[192.168.1.3,$EXTERNAL_NET],192.168.2.5] $HTTP_PORTS -> !$HTTP_SERVERS [80,[!$HTTP_PORTS,$ORACLE_PORTS]] (msg:\"Rule Vars Test\"; sid:1;)"); if (s == NULL) goto end; SigFree(s); */ s = SigInit(de_ctx, "alert tcp [$HTTP_SERVERS,$HOME_NET,192.168.2.5] $HTTP_PORTS -> $EXTERNAL_NET [80,[!$HTTP_PORTS,$ORACLE_PORTS]] (msg:\"Rule Vars Test\"; sid:1;)"); if (s == NULL) goto end; SigFree(s); result = 1; end: ConfDeInit(); ConfRestoreContextBackup(); if (de_ctx != NULL) DetectEngineCtxFree(de_ctx); return result; }