/**
* \test DetectIsdataatTestPacket03 is a test to check matches of
* isdataat, and isdataat relative works if the previous keyword is byte_jump
* (bug 146)
*/
int DetectIsdataatTestPacket03 (void) {
int result = 0;
uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
"User-Agent: Wget/1.11.4"
"Accept: */*"
"Host: www.google.com"
"Connection: Keep-Alive"
"Date: Mon, 04 Jan 2010 17:29:39 GMT";
uint16_t buflen = strlen((char *)buf);
Packet *p;
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
if (p == NULL)
goto end;
char sig[] = "alert tcp any any -> any any (msg:\"byte_jump match = 0 "
"with distance content HTTP/1. relative against HTTP/1.0\"; byte_jump:1,"
"46,string,dec; isdataat:87,relative; sid:109; rev:1;)";
result = UTHPacketMatchSig(p, sig);
UTHFreePacket(p);
end:
return result;
}
/**
* \test DetectWithinTestPacket01 is a test to check matches of
* within, if the previous keyword is pcre (bug 145)
*/
int DetectWithinTestPacket01 (void) {
int result = 0;
uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
"User-Agent: Wget/1.11.4"
"Accept: */*"
"Host: www.google.com"
"Connection: Keep-Alive"
"Date: Mon, 04 Jan 2010 17:29:39 GMT";
uint16_t buflen = strlen((char *)buf);
Packet *p;
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
if (p == NULL)
goto end;
char sig[] = "alert tcp any any -> any any (msg:\"pcre with within "
"modifier\"; pcre:\"/AllWorkAndNoPlayMakesWillADullBoy/\";"
" content:\"HTTP\"; within:5; sid:49; rev:1;)";
result = UTHPacketMatchSig(p, sig);
UTHFreePacket(p);
end:
return result;
}
int DetectByteJumpTestPacket03(void)
{
int result = 0;
uint8_t *buf = NULL;
uint16_t buflen = 0;
buf = SCMalloc(4);
if (unlikely(buf == NULL)) {
printf("malloc failed\n");
exit(EXIT_FAILURE);
}
memcpy(buf, "boom", 4);
buflen = 4;
Packet *p;
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
if (p == NULL)
goto end;
char sig[] = "alert tcp any any -> any any (msg:\"byte_jump\"; "
"byte_jump:1,214748364; sid:1; rev:1;)";
result = !UTHPacketMatchSig(p, sig);
UTHFreePacket(p);
end:
if (buf != NULL)
SCFree(buf);
return result;
}
/**
* \test DetectIsdataatTestPacket02 is a test to check matches of
* isdataat, and isdataat relative works if the previous keyword is pcre
* (bug 144)
*/
int DetectIsdataatTestPacket02 (void) {
int result = 0;
uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
"User-Agent: Wget/1.11.4"
"Accept: */*"
"Host: www.google.com"
"Connection: Keep-Alive"
"Date: Mon, 04 Jan 2010 17:29:39 GMT";
uint16_t buflen = strlen((char *)buf);
Packet *p;
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
if (p == NULL)
goto end;
char sig[] = "alert tcp any any -> any any (msg:\"pcre with"
" isdataat + relative\"; pcre:\"/A(ll|pp)WorkAndNoPlayMakesWillA"
"DullBoy/\"; isdataat:96,relative; sid:1;)";
result = UTHPacketMatchSig(p, sig);
UTHFreePacket(p);
end:
return result;
}
/**
* \test DetectByteJumpTestPacket02 is a test to check matches of
* byte_jump and byte_jump relative works if the previous keyword is byte_jump
* (bug 165)
*/
int DetectByteJumpTestPacket02 (void) {
int result = 0;
uint8_t buf[] = { 0x00, 0x00, 0x00, 0x77, 0xff, 0x53,
0x4d, 0x42, 0x2f, 0x00, 0x00, 0x00, 0x00, 0x18,
0x01, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
0x92, 0xa4, 0x01, 0x08, 0x17, 0x5c, 0x0e, 0xff,
0x00, 0x00, 0x00, 0x01, 0x40, 0x48, 0x00, 0x00,
0x00, 0xff };
uint16_t buflen = sizeof(buf);
Packet *p;
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
if (p == NULL)
goto end;
char sig[] = "alert tcp any any -> any any (msg:\"byte_jump with byte_jump"
" + relative\"; byte_jump:1,13; byte_jump:4,0,relative; "
"content:\"|48 00 00|\"; within:3; sid:144; rev:1;)";
result = UTHPacketMatchSig(p, sig);
UTHFreePacket(p);
end:
return result;
}
/**
* \test DetectByteJumpTestPacket01 is a test to check matches of
* byte_jump and byte_jump relative works if the previous keyword is pcre
* (bug 142)
*/
int DetectByteJumpTestPacket01 (void) {
int result = 0;
uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
"User-Agent: Wget/1.11.4"
"Accept: */*"
"Host: www.google.com"
"Connection: Keep-Alive"
"Date: Mon, 04 Jan 2010 17:29:39 GMT";
uint16_t buflen = strlen((char *)buf);
Packet *p;
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
if (p == NULL)
goto end;
char sig[] = "alert tcp any any -> any any (msg:\"pcre + byte_test + "
"relative\"; pcre:\"/AllWorkAndNoPlayMakesWillADullBoy/\"; byte_jump:1,6,"
"relative,string,dec; content:\"0\"; sid:134; rev:1;)";
result = UTHPacketMatchSig(p, sig);
UTHFreePacket(p);
end:
return result;
}
static int PayloadLenFieldTest2() {
uint8_t payload[4096];
uint16_t len = sizeof(payload);
memcpy(payload + 2, &len, 4);
Packet *p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
int res = UTHPacketMatchSig(p, "alert tcp any any -> any any (msg:\"dummy\"; payloadlenfield:offset:2 len:4; sid:1;)");
UTHFreePacket(p);
return res;
}
static int PayloadLenFieldTest1() {
uint8_t payload[] = {
1,2,3,4,5,6,7,8,9,10
};
uint8_t len = sizeof(payload);
payload[2] = len;
Packet *p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
int res = UTHPacketMatchSig(p, "alert tcp any any -> any any (msg:\"dummy\"; payloadlenfield:offset:2 len:1; sid:1;)");
UTHFreePacket(p);
return res;
}
static int PayloadLenFieldTest3() {
uint8_t payload[256];
for (int i = 0; i < 256; ++i) {
payload[i] = i;
}
uint16_t len = sizeof(payload);
memcpy(payload + 1, &len, 2);
Packet *p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
int res = UTHPacketMatchSig(p, "alert tcp any any -> any any (msg:\"dummy\"; payloadlenfield:offset:1 len:2; sid:1;)");
UTHFreePacket(p);
return res;
}
/**
* \test check matches of with from_beginning (bug 626/627)
*/
int DetectByteJumpTestPacket07 (void) {
int result = 0;
uint8_t *buf = (uint8_t *)"XX04abcdABCD";
uint16_t buflen = strlen((char *)buf);
Packet *p;
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
if (p == NULL)
goto end;
char sig[] = "alert tcp any any -> any any (content:\"XX\"; byte_jump:2,0,relative,string,dec,from_beginning; content:\"abcdABCD\"; distance:0; within:8; sid:1; rev:1;)";
result = UTHPacketMatchSig(p, sig) ? 1 : 0;
UTHFreePacket(p);
end:
return result;
}
int DetectWithinTestPacket02 (void) {
int result = 0;
uint8_t *buf = (uint8_t *)"Zero Five Ten Fourteen";
uint16_t buflen = strlen((char *)buf);
Packet *p;
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
if (p == NULL)
goto end;
char sig[] = "alert tcp any any -> any any (msg:\"pcre with within "
"modifier\"; content:\"Five\"; content:\"Ten\"; within:3; distance:1; sid:1;)";
result = UTHPacketMatchSig(p, sig);
UTHFreePacket(p);
end:
return result;
}
/**
* \test DetectDistanceTestPacket01 is a test to check matches of
* distance works, if the previous keyword is byte_jump and content
* (bug 163)
*/
int DetectDistanceTestPacket01 (void) {
int result = 0;
uint8_t buf[] = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00 };
uint16_t buflen = sizeof(buf);
Packet *p;
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
if (p == NULL)
goto end;
char sig[] = "alert tcp any any -> any any (msg:\"suricata test\"; "
"byte_jump:1,2; content:\"|00|\"; "
"within:1; distance:2; sid:98711212; rev:1;)";
p->flowflags = FLOW_PKT_ESTABLISHED | FLOW_PKT_TOCLIENT;
result = UTHPacketMatchSig(p, sig);
UTHFreePacket(p);
end:
return result;
}
