/**
* \test Test parsing of negated states.
*/
int DetectSslStateTestParseNegate(void)
{
DetectSslStateData *ssd = DetectSslStateParse("!client_hello");
FAIL_IF_NULL(ssd);
uint32_t expected = DETECT_SSL_STATE_CLIENT_HELLO;
FAIL_IF(ssd->flags != expected || ssd->mask != expected);
SCFree(ssd);
ssd = DetectSslStateParse("!client_hello,!server_hello");
FAIL_IF_NULL(ssd);
expected = DETECT_SSL_STATE_CLIENT_HELLO | DETECT_SSL_STATE_SERVER_HELLO;
FAIL_IF(ssd->flags != expected || ssd->mask != expected);
SCFree(ssd);
PASS;
}
/**
* \internal
* \brief Setup function for ssl_state keyword.
*
* \param de_ctx Pointer to the Detection Engine Context.
* \param s Pointer to the Current Signature
* \param arg String holding the arg.
*
* \retval 0 On success.
* \retval -1 On failure.
*/
int DetectSslStateSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
{
DetectSslStateData *ssd = NULL;
SigMatch *sm = NULL;
ssd = DetectSslStateParse(arg);
if (ssd == NULL)
goto error;
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
sm->type = DETECT_AL_SSL_STATE;
sm->ctx = (SigMatchCtx*)ssd;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_TLS) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
"Rule contains conflicting keywords. Have non-tls alproto "
"set for a rule containing \"ssl_state\" keyword");
goto error;
}
s->alproto = ALPROTO_TLS;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
return 0;
error:
if (ssd != NULL)
DetectSslStateFree(ssd);
if (sm != NULL)
SCFree(sm);
return -1;
}
int DetectSslStateTest06(void)
{
DetectSslStateData *ssd = DetectSslStateParse("server_hello , client_keyx , "
"client_hello , server_keyx , "
"unknown , ");
FAIL_IF_NOT_NULL(ssd);
PASS;
}
int DetectSslStateTest01(void)
{
DetectSslStateData *ssd = DetectSslStateParse("client_hello");
FAIL_IF_NULL(ssd);
FAIL_IF_NOT(ssd->flags == DETECT_SSL_STATE_CLIENT_HELLO);
SCFree(ssd);
PASS;
}
/**
* \brief Test that the "|" character still works as a separate for
* compatibility with older Suricata rules.
*/
int DetectSslStateTest08(void)
{
DetectSslStateData *ssd = DetectSslStateParse("server_hello|client_hello");
FAIL_IF_NULL(ssd);
FAIL_IF_NOT(ssd->flags == (DETECT_SSL_STATE_SERVER_HELLO |
DETECT_SSL_STATE_CLIENT_HELLO));
SCFree(ssd);
PASS;
}
int DetectSslStateTest06(void)
{
DetectSslStateData *ssd = DetectSslStateParse("server_hello | client_keyx | "
"client_hello | server_keyx | "
"unknown | ");
if (ssd != NULL) {
printf("ssd != NULL - failure\n");
SCFree(ssd);
return 0;
}
return 1;
}
int DetectSslStateTest04(void)
{
DetectSslStateData *ssd = DetectSslStateParse("server_hello , client_keyx , "
"client_hello , server_keyx , "
"unknown");
FAIL_IF_NULL(ssd);
FAIL_IF_NOT(ssd->flags == (DETECT_SSL_STATE_SERVER_HELLO |
DETECT_SSL_STATE_CLIENT_KEYX |
DETECT_SSL_STATE_CLIENT_HELLO |
DETECT_SSL_STATE_SERVER_KEYX |
DETECT_SSL_STATE_UNKNOWN));
SCFree(ssd);
PASS;
}
int DetectSslStateTest01(void)
{
DetectSslStateData *ssd = DetectSslStateParse("client_hello");
if (ssd == NULL) {
printf("ssd == NULL\n");
return 0;
}
if (ssd->flags == DETECT_SSL_STATE_CLIENT_HELLO) {
SCFree(ssd);
return 1;
}
return 0;
}
int DetectSslStateTest02(void)
{
DetectSslStateData *ssd = DetectSslStateParse("server_hello | client_hello");
if (ssd == NULL) {
printf("ssd == NULL\n");
return 0;
}
if (ssd->flags == (DETECT_SSL_STATE_SERVER_HELLO |
DETECT_SSL_STATE_CLIENT_HELLO)) {
SCFree(ssd);
return 1;
}
return 0;
}
int DetectSslStateTest04(void)
{
DetectSslStateData *ssd = DetectSslStateParse("server_hello | client_keyx | "
"client_hello | server_keyx | "
"unknown");
if (ssd == NULL) {
printf("ssd == NULL\n");
return 0;
}
if (ssd->flags == (DETECT_SSL_STATE_SERVER_HELLO |
DETECT_SSL_STATE_CLIENT_KEYX |
DETECT_SSL_STATE_CLIENT_HELLO |
DETECT_SSL_STATE_SERVER_KEYX |
DETECT_SSL_STATE_UNKNOWN)) {
SCFree(ssd);
return 1;
}
return 0;
}
