static int DetectMsgParseTest01(void)
{
int result = 0;
Signature *sig = NULL;
char *teststringparsed = "flow stateless to_server";
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
SCClassConfGenerateValidDummyClassConfigFD01();
SCClassConfLoadClassficationConfigFile(de_ctx);
SCClassConfDeleteDummyClassificationConfigFD();
sig = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"flow stateless to_server\"; flow:stateless,to_server; content:\"flowstatelesscheck\"; classtype:bad-unknown; sid: 40000002; rev: 1;)");
if(sig == NULL)
goto end;
if (strcmp(sig->msg, teststringparsed) != 0) {
printf("got \"%s\", expected: \"%s\": ", sig->msg, teststringparsed);
goto end;
}
result = 1;
end:
if (sig != NULL)
SigFree(sig);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
static int DetectMsgParseTest02(void)
{
int result = 0;
Signature *sig = NULL;
char *teststringparsed = "msg escape tests wxy'\"\\;:";
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
sig = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"msg escape tests \\w\\x\\y\\'\\\"\\\\;\\:\"; flow:to_server,established; content:\"blah\"; uricontent:\"/blah/\"; sid: 100;)");
if(sig == NULL)
goto end;
if (strcmp(sig->msg, teststringparsed) != 0) {
printf("got \"%s\", expected: \"%s\": ",sig->msg, teststringparsed);
goto end;
}
result = 1;
end:
if (sig != NULL)
SigFree(sig);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test Test dce option.
*/
int DetectBytejumpTestParse09(void) {
Signature *s = SigAlloc();
if (s == NULL)
return 0;
int result = 1;
s->alproto = ALPROTO_DCERPC;
result &= (DetectBytejumpSetup(NULL, s, "4,0, align, multiplier 2, "
"post_offset -16,dce") == 0);
result &= (DetectBytejumpSetup(NULL, s, "4,0, multiplier 2, "
"post_offset -16,dce") == 0);
result &= (DetectBytejumpSetup(NULL, s, "4,0,post_offset -16,dce") == 0);
result &= (DetectBytejumpSetup(NULL, s, "4,0,dce") == 0);
result &= (DetectBytejumpSetup(NULL, s, "4,0,dce") == 0);
result &= (DetectBytejumpSetup(NULL, s, "4,0, string, dce") == -1);
result &= (DetectBytejumpSetup(NULL, s, "4,0, big, dce") == -1);
result &= (DetectBytejumpSetup(NULL, s, "4,0, little, dce") == -1);
result &= (DetectBytejumpSetup(NULL, s, "4,0, string, dec, dce") == -1);
result &= (DetectBytejumpSetup(NULL, s, "4,0, string, oct, dce") == -1);
result &= (DetectBytejumpSetup(NULL, s, "4,0, string, hex, dce") == -1);
result &= (DetectBytejumpSetup(NULL, s, "4,0, from_beginning, dce") == -1);
result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
SigFree(s);
return result;
}
/**
* \test Check that Signatures with invalid address and port groups, are
* are invalidated by the Singature parsing API.
*/
int SCRuleVarsNegativeTest04(void)
{
int result = 0;
Signature *s = NULL;
DetectEngineCtx *de_ctx = NULL;
ConfCreateContextBackup();
ConfInit();
ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx, "alert tcp $HTTP_SERVER any -> any any (msg:\"Rule Vars Test\"; sid:1;)");
if (s != NULL)
goto end;
s = SigInit(de_ctx, "alert tcp $http_servers any -> any any (msg:\"Rule Vars Test\"; sid:1;)");
if (s != NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp $http_servers any -> any $HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s != NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp !$TELNET_SERVERS !80 -> any !$SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s != NULL)
goto end;
SigFree(s);
result = 1;
end:
ConfDeInit();
ConfRestoreContextBackup();
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test Test isdataat option for dce sig.
*/
int DetectIsdataatTestParse04(void)
{
Signature *s = SigAlloc();
int result = 1;
s->alproto = ALPROTO_DCERPC;
result &= (DetectIsdataatSetup(NULL, s, "30") == 0);
result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
SigFree(s);
s = SigAlloc();
s->alproto = ALPROTO_DCERPC;
/* failure since we have no preceding content/pcre/bytejump */
result &= (DetectIsdataatSetup(NULL, s, "30,relative") == 0);
result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
SigFree(s);
return result;
}
/**
* \test DetectFtpbounceTestSetup01 is a test for the Setup ftpbounce
*/
static int DetectFtpbounceTestSetup01(void)
{
DetectEngineCtx *de_ctx = NULL;
Signature *s = SigAlloc();
FAIL_IF (s == NULL);
/* ftpbounce doesn't accept options so the str is NULL */
FAIL_IF_NOT(DetectFtpbounceSetup(de_ctx, s, NULL) == 0);
FAIL_IF(s->sm_lists[g_ftp_request_list_id] == NULL);
FAIL_IF_NOT(s->sm_lists[g_ftp_request_list_id]->type & DETECT_FTPBOUNCE);
SigFree(s);
PASS;
}
/**
* \test DetectFtpbounceTestSetup01 is a test for the Setup ftpbounce
*/
int DetectFtpbounceTestSetup01(void)
{
int res = 0;
DetectEngineCtx *de_ctx = NULL;
Signature *s = SigAlloc();
if (s == NULL)
return 0;
/* ftpbounce doesn't accept options so the str is NULL */
res = !DetectFtpbounceSetup(de_ctx, s, NULL);
res &= s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL && s->sm_lists[DETECT_SM_LIST_AMATCH]->type & DETECT_FTPBOUNCE;
SigFree(s);
return res;
}
/**
* \test Test dce option.
*/
static int DetectBytetestTestParse19(void)
{
Signature *s = SigAlloc();
if (s == NULL)
return 0;
int result = 1;
s->alproto = ALPROTO_DCERPC;
result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,dce") == 0);
result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,string,dce") == -1);
result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,big,dce") == -1);
result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,little,dce") == -1);
result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,hex,dce") == -1);
result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,oct,dce") == -1);
result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,dec,dce") == -1);
SigFree(s);
return result;
}
/**
* \test Check that Signatures with valid address and port groups are parsed
* without any errors by the Signature parsing API.
*/
int SCRuleVarsPositiveTest03(void)
{
int result = 0;
Signature *s = NULL;
DetectEngineCtx *de_ctx = NULL;
ConfCreateContextBackup();
ConfInit();
ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
/*
s = SigInit(de_ctx, "alert tcp $HTTP_SERVERS any -> any any (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp $SMTP_SERVERS any -> $HTTP_SERVERS any (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp $AIM_SERVERS any -> $AIM_SERVERS any (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp $TELNET_SERVERS any -> any $SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp $TELNET_SERVERS any -> any !$SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp $TELNET_SERVERS 80 -> any !$SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp $TELNET_SERVERS !80 -> any !$SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp !$HTTP_SERVERS !80 -> any !$SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp 192.168.1.2 any -> any $HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp !192.168.1.2 any -> any $HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp !192.168.1.2 any -> any !$HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp !192.168.1.2 any -> !$HTTP_SERVERS !$HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp !192.168.1.2 $HTTP_PORTS -> !$HTTP_SERVERS !$HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp [!192.168.24.0/23,!167.12.0.0/24] any -> any $HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp ![192.168.24.0/23,!167.12.0.0/24] any -> any $HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp [$HOME_NET,!192.168.1.2] $HTTP_PORTS -> !$HTTP_SERVERS !$HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp [[192.168.1.3,$EXTERNAL_NET],192.168.2.5] $HTTP_PORTS -> !$HTTP_SERVERS !$HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp [[192.168.1.3,$EXTERNAL_NET],192.168.2.5] $HTTP_PORTS -> !$HTTP_SERVERS [80,[!$HTTP_PORTS,$ORACLE_PORTS]] (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
*/
s = SigInit(de_ctx, "alert tcp [$HTTP_SERVERS,$HOME_NET,192.168.2.5] $HTTP_PORTS -> $EXTERNAL_NET [80,[!$HTTP_PORTS,$ORACLE_PORTS]] (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
result = 1;
end:
ConfDeInit();
ConfRestoreContextBackup();
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
