/** * \brief this function is used to add the parsed decode-event into the current signature * * \param de_ctx pointer to the Detection Engine Context * \param s pointer to the Current Signature * \param rawstr pointer to the user provided decode-event options * * \retval 0 on Success * \retval -1 on Failure */ static int _DetectEngineEventSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr, int smtype) { DetectEngineEventData *de = NULL; SigMatch *sm = NULL; de = DetectEngineEventParse(rawstr); if (de == NULL) goto error; SCLogDebug("rawstr %s %u", rawstr, de->event); sm = SigMatchAlloc(); if (sm == NULL) goto error; sm->type = smtype; sm->ctx = (SigMatchCtx *)de; SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH); return 0; error: if (de) SCFree(de); if (sm) SCFree(sm); return -1; }
/** * \test EngineEventTestParse05 is a test for an invalid char into the decode-event value */ int EngineEventTestParse05 (void) { DetectEngineEventData *de = NULL; de = DetectEngineEventParse("IPV-6,INVALID_CHAR"); if (de) { DetectEngineEventFree(de); return 1; } return 0; }
/** * \test EngineEventTestParse04 is a test for an invalid upper case decode-event value */ int EngineEventTestParse04 (void) { DetectEngineEventData *de = NULL; de = DetectEngineEventParse("IPV6.INVALID_EVENT"); if (de) { DetectEngineEventFree(de); return 1; } return 0; }
/** * \test EngineEventTestParse03 is a test for a valid upper case decode-event value */ int EngineEventTestParse03 (void) { DetectEngineEventData *de = NULL; de = DetectEngineEventParse("IPV6.PKT_TOO_SMALL"); if (de) { DetectEngineEventFree(de); return 1; } return 0; }
/** * \test EngineEventTestParse02 is a test for a valid upper + lower case decode-event value */ int EngineEventTestParse02 (void) { DetectEngineEventData *de = NULL; de = DetectEngineEventParse("PPP.pkt_too_small"); if (de) { DetectEngineEventFree(de); return 1; } return 0; }
/** * \test EngineEventTestParse06 is a test for match function with valid decode-event value */ int EngineEventTestParse06 (void) { Packet *p = SCMalloc(SIZE_OF_PACKET); if (unlikely(p == NULL)) return 0; ThreadVars tv; int ret = 0; DetectEngineEventData *de = NULL; SigMatch *sm = NULL; memset(&tv, 0, sizeof(ThreadVars)); memset(p, 0, SIZE_OF_PACKET); ENGINE_SET_EVENT(p,PPP_PKT_TOO_SMALL); de = DetectEngineEventParse("ppp.pkt_too_small"); if (de == NULL) goto error; de->event = PPP_PKT_TOO_SMALL; sm = SigMatchAlloc(); if (sm == NULL) goto error; sm->type = DETECT_DECODE_EVENT; sm->ctx = (SigMatchCtx *)de; ret = DetectEngineEventMatch(&tv,NULL,p,NULL,sm->ctx); if(ret) { SCFree(p); return 1; } error: if (de) SCFree(de); if (sm) SCFree(sm); SCFree(p); return 0; }