/** * \test DetectIsdataatTestPacket01 is a test to check matches of * isdataat, and isdataat relative */ int DetectIsdataatTestPacket01 (void) { int result = 0; uint8_t *buf = (uint8_t *)"Hi all!"; uint16_t buflen = strlen((char *)buf); Packet *p[3]; p[0] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); p[1] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_UDP); p[2] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_ICMP); if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) goto end; char *sigs[5]; sigs[0]= "alert ip any any -> any any (msg:\"Testing window 1\"; isdataat:6; sid:1;)"; sigs[1]= "alert ip any any -> any any (msg:\"Testing window 2\"; content:\"all\"; isdataat:1, relative; isdataat:6; sid:2;)"; sigs[2]= "alert ip any any -> any any (msg:\"Testing window 3\"; isdataat:8; sid:3;)"; sigs[3]= "alert ip any any -> any any (msg:\"Testing window 4\"; content:\"Hi\"; isdataat:5, relative; sid:4;)"; sigs[4]= "alert ip any any -> any any (msg:\"Testing window 4\"; content:\"Hi\"; isdataat:6, relative; sid:5;)"; uint32_t sid[5] = {1, 2, 3, 4, 5}; uint32_t results[3][5] = { /* packet 0 match sid 1 but should not match sid 2 */ {1, 1, 0, 1, 0}, /* packet 1 should not match */ {1, 1, 0, 1, 0}, /* packet 2 should not match */ {1, 1, 0, 1, 0} }; result = UTHGenericTest(p, 3, sigs, sid, (uint32_t *) results, 5); UTHFreePackets(p, 3); end: return result; }
static int DetectTosTest12(void) { int result = 0; uint8_t *buf = (uint8_t *)"Hi all!"; uint16_t buflen = strlen((char *)buf); Packet *p; p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); if (p == NULL) goto end; IPV4_SET_RAW_IPTOS(p->ip4h, 10); const char *sigs[4]; sigs[0]= "alert ip any any -> any any (msg:\"Testing id 1\"; tos: 10 ; sid:1;)"; sigs[1]= "alert ip any any -> any any (msg:\"Testing id 2\"; tos: ! 10; sid:2;)"; sigs[2]= "alert ip any any -> any any (msg:\"Testing id 3\"; tos:20 ; sid:3;)"; sigs[3]= "alert ip any any -> any any (msg:\"Testing id 3\"; tos:! 20; sid:4;)"; uint32_t sid[4] = {1, 2, 3, 4}; uint32_t results[1][4] = { {1, 0, 0, 1}, }; result = UTHGenericTest(&p, 1, sigs, sid, (uint32_t *) results, 4); UTHFreePackets(&p, 1); end: return result; }
/** * \test DetectIdTestSig01 * \brief Test to check "id" keyword with constructed packets */ int DetectIdTestMatch01(void) { int result = 0; uint8_t *buf = (uint8_t *)"Hi all!"; uint16_t buflen = strlen((char *)buf); Packet *p[3]; p[0] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); p[1] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_UDP); p[2] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_ICMP); if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) goto end; /* TCP IP id = 1234 */ p[0]->ip4h->ip_id = htons(1234); /* UDP IP id = 5678 */ p[1]->ip4h->ip_id = htons(5678); /* UDP IP id = 91011 */ p[2]->ip4h->ip_id = htons(5101); char *sigs[3]; sigs[0]= "alert ip any any -> any any (msg:\"Testing id 1\"; id:1234; sid:1;)"; sigs[1]= "alert ip any any -> any any (msg:\"Testing id 2\"; id:5678; sid:2;)"; sigs[2]= "alert ip any any -> any any (msg:\"Testing id 3\"; id:5101; sid:3;)"; uint32_t sid[3] = {1, 2, 3}; uint32_t results[3][3] = { /* packet 0 match sid 1 but should not match sid 2 */ {1, 0, 0}, /* packet 1 should not match */ {0, 1, 0}, /* packet 2 should not match */ {0, 0, 1} }; result = UTHGenericTest(p, 3, sigs, sid, (uint32_t *) results, 3); UTHFreePackets(p, 3); end: return result; }
/** * \test DetectSeqSigTest02 tests seq keyword */ static int DetectSeqSigTest02(void) { int result = 0; uint8_t *buf = (uint8_t *)"Hi all!"; uint16_t buflen = strlen((char *)buf); Packet *p[3]; p[0] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); p[1] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); p[2] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_ICMP); if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) goto end; /* TCP w/seq=42 */ p[0]->tcph->th_seq = htonl(42); /* TCP w/seq=100 */ p[1]->tcph->th_seq = htonl(100); char *sigs[2]; sigs[0]= "alert tcp any any -> any any (msg:\"Testing seq\"; seq:41; sid:1;)"; sigs[1]= "alert tcp any any -> any any (msg:\"Testing seq\"; seq:42; sid:2;)"; uint32_t sid[2] = {1, 2}; uint32_t results[3][2] = { /* packet 0 match sid 1 but should not match sid 2 */ {0, 1}, /* packet 1 should not match */ {0, 0}, /* packet 2 should not match */ {0, 0} }; result = UTHGenericTest(p, 3, sigs, sid, (uint32_t *) results, 2); UTHFreePackets(p, 3); end: return result; }