/**
* \test This is a test for a valid value 1430000000 <> 1490000000.
*
* \retval 1 on success.
* \retval 0 on failure.
*/
static int ValidityTestParse12 (void)
{
DetectNfsVersionData *dd = NULL;
dd = DetectNfsVersionParse("1430000000 <> 1490000000");
FAIL_IF_NULL(dd);
FAIL_IF_NOT(dd->lo == 1430000000 && dd->hi == 1490000000 &&
dd->mode == PROCEDURE_RA);
DetectNfsVersionFree(dd);
PASS;
}
void t03_create_add_free_full_flow(){
INIT_LOCAL();
onion_request *req;
int ok;
req=onion_request_new(custom_io);
FAIL_IF_EQUAL(req,NULL);
FAIL_IF_NOT_EQUAL(req->connection.fd, -1);
ok=REQ_WRITE(req,"GET /myurl%20/is/very/deeply/nested?test=test&query2=query%202&more_query=%20more%20query+10&empty&empty2 HTTP/1.0\n");
FAIL_IF_NOT(ok);
ok=REQ_WRITE(req,"Host: 127.0.0.1\r\n");
FAIL_IF_NOT(ok);
ok=REQ_WRITE(req,"Other-Header: My header is very long and with spaces...\n");
FAIL_IF_NOT(ok);
ok=REQ_WRITE(req,"Final-Header: This header do not get into headers as a result of now knowing if its finished, or if its multiline.\n");
FAIL_IF_NOT(ok);
FAIL_IF_EQUAL(req->flags,OR_GET|OR_HTTP11);
FAIL_IF_EQUAL(req->headers, NULL);
FAIL_IF_NOT_EQUAL_STR( onion_dict_get(req->headers,"Host"), "127.0.0.1");
FAIL_IF_NOT_EQUAL_STR( onion_dict_get(req->headers,"Other-Header"), "My header is very long and with spaces...");
FAIL_IF_NOT_EQUAL_STR(req->fullpath,"/myurl /is/very/deeply/nested");
FAIL_IF_NOT_EQUAL(req->path,NULL);
onion_request_process(req); // this should set the req->path.
FAIL_IF_NOT_EQUAL_STR(req->path,"myurl /is/very/deeply/nested");
FAIL_IF_EQUAL(req->GET, NULL);
FAIL_IF_NOT_EQUAL_STR( onion_dict_get(req->GET,"test"), "test");
FAIL_IF_NOT_EQUAL_STR( onion_dict_get(req->GET,"query2"), "query 2");
FAIL_IF_NOT_EQUAL_STR( onion_dict_get(req->GET,"more_query"), " more query 10");
FAIL_IF_EQUAL(onion_request_get_query(req, "empty"), NULL);
FAIL_IF_EQUAL(onion_request_get_query(req, "empty2"), NULL);
FAIL_IF_NOT_EQUAL(onion_request_get_query(req, "empty3"), NULL);
onion_request_free(req);
END_LOCAL();
}
bool Expr::parseMultiplicativeExpression() {
PARSER_FLOW_TRACER();
/* right associative */
FAIL_IF_NOT(parseUnaryExpression());
while (IS_MULTI_EXPR_OPER(ahead().type())) {
Model::ExprBinary::Ptr result = new Model::ExprBinary;
result->setLeftOperand(model());
result->setBinaryOperator(tokenToBinary(ahead().type()));
next();
FAIL_IF_NOT(parseUnaryExpression());
result->setRightOperand(model());
setModel(result);
}
return true;
}
int DetectSslStateTest03(void)
{
DetectSslStateData *ssd = DetectSslStateParse("server_hello , client_keyx , "
"client_hello");
FAIL_IF_NULL(ssd);
FAIL_IF_NOT(ssd->flags == (DETECT_SSL_STATE_SERVER_HELLO |
DETECT_SSL_STATE_CLIENT_KEYX |
DETECT_SSL_STATE_CLIENT_HELLO));
SCFree(ssd);
PASS;
}
/**
* \test DetectFlowTestParse11 is a test for setting the from_server,stateless flow opts with spaces all around
*/
int DetectFlowTestParse11 (void)
{
DetectFlowData *fd = NULL;
fd = DetectFlowParse(" from_server , stateless ");
FAIL_IF_NULL(fd);
FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
fd->match_cnt == 2);
DetectFlowFree(fd);
PASS;
}
/**
* \test DetectFlowTestParseNocase08 is a test for setting the established,to_client flow opts
*/
int DetectFlowTestParseNocase08 (void)
{
DetectFlowData *fd = NULL;
fd = DetectFlowParse("ESTABLISHED,TO_CLIENT");
FAIL_IF_NULL(fd);
FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED &&
fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
fd->match_cnt == 2);
DetectFlowFree(fd);
PASS;
}
int UTHRemoveSessionFromFlow(Flow *f)
{
FAIL_IF_NULL(f);
FAIL_IF_NOT(f->proto == IPPROTO_TCP);
TcpSession *ssn = f->protoctx;
FAIL_IF_NULL(ssn);
StreamTcpSessionCleanup(ssn);
SCFree(ssn);
f->protoctx = NULL;
return 1;
}
/**
* \test DetectFlowTestParseNocase11 is a test for setting the from_server,stateless flow opts with spaces all around
*/
int DetectFlowTestParseNocase11 (void)
{
DetectFlowData *fd = NULL;
fd = DetectFlowParse(" FROM_SERVER , STATELESS ");
FAIL_IF_NULL(fd);
FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
fd->match_cnt == 2);
DetectFlowFree(fd);
PASS;
}
/**
* \test DetectFlowTestParse20 is a test for setting from_server, established, no_stream
*/
int DetectFlowTestParseNocase20 (void)
{
DetectFlowData *fd = NULL;
fd = DetectFlowParse("FROM_SERVER,ESTABLISHED,NO_STREAM");
FAIL_IF_NULL(fd);
FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED &&
fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
fd->flags & DETECT_FLOW_FLAG_NOSTREAM &&
fd->match_cnt == 3);
DetectFlowFree(fd);
PASS;
}
/**
* \test DetectFlowTestParse20 is a test for setting from_server, established, no_stream
*/
int DetectFlowTestParse20 (void)
{
DetectFlowData *fd = NULL;
fd = DetectFlowParse("from_server,established,no_stream");
FAIL_IF_NULL(fd);
FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED &&
fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
fd->flags & DETECT_FLOW_FLAG_NOSTREAM &&
fd->match_cnt == 3);
DetectFlowFree(fd);
PASS;
}
void t02_create_and_free_a_lot(unsigned int n){
INIT_LOCAL();
onion_dict *dict;
const char *value;
unsigned int i;
dict=onion_dict_new();
FAIL_IF_EQUAL(dict,NULL);
// Linear add
for (i=0;i<n;i++){
char key[16], val[16];
sprintf(key,"key %d",i);
sprintf(val,"val %d",i);
onion_dict_add(dict, key, val, OD_DUP_ALL);
}
// Linear get
for (i=0;i<n;i++){
char key[16], val[16];
sprintf(key,"key %d",i);
sprintf(val,"val %d",i);
value=onion_dict_get(dict, key);
FAIL_IF_NOT_EQUAL_STR(val,value);
}
// remove all
for (i=0;i<n;i++){
char key[16];
sprintf(key,"key %d",i);
int ok=onion_dict_remove(dict, key);
FAIL_IF_NOT(ok);
}
// check removed all
for (i=0;i<n;i++){
char key[16], val[16];
sprintf(key,"key %d",i);
sprintf(val,"val %d",i);
value=onion_dict_get(dict, key);
//fprintf(stderr,"%s %s\n",key,value);
FAIL_IF_NOT_EQUAL(NULL,value);
FAIL_IF_NOT_EQUAL_STR(NULL,value);
}
onion_dict_free(dict);
END_LOCAL();
}
onion_connection_status process_request(void *_, onion_request * req,
onion_response * res) {
onion_response_write0(res, "Done");
const onion_block *data = onion_request_get_data(req);
FAIL_IF_NOT(data);
FAIL_IF_NOT_EQUAL_STR(onion_block_data(data),
"{\n \"a\": \"10\",\n \"b\": \"20\"\n}");
ONION_DEBUG(onion_block_data(data));
return OCS_PROCESSED;
}
void POST_json(void) {
sleep(1);
onion_block *tosend = onion_block_new();
onion_block_add_str(tosend,
"POST /configuration HTTP/1.1\nHost: example.com\nContent-Type: application/json\nContent-Length: 30\n\n"
"{\n \"a\": \"10\",\n \"b\": \"20\"\n}");
onion_block *bl = connect_and_send("127.0.0.1", "8080", tosend, 1024 * 1024);
FAIL_IF_NOT(strstr(onion_block_data(bl), "Done"));
onion_block_free(bl);
onion_block_free(tosend);
}
// This fixes that whenever a session is created, but no new data is added, it does not set the proper cookie
void t04_lot_of_sessionid(){
INIT_LOCAL();
onion *o=onion_new(O_ONE_LOOP);
onion_server_set_write(o->server, empty_write);
onion_url *url=onion_root_url(o);
onion_url_add(url, "^.*", ask_session);
char sessionid[256];
char tmp[1024];
char tmp2[4096];
onion_request *req;
int i;
set_data_on_session=1;
req=onion_request_new(o->server, NULL, NULL);
req->fullpath="/";
onion_request_process(req);
FAIL_IF_NOT_EQUAL_INT(onion_dict_count(o->server->sessions->sessions), 1);
FAIL_IF_EQUAL_STR(lastsessionid,"");
strcpy(sessionid, lastsessionid);
req->fullpath=NULL;
onion_request_free(req);
req=onion_request_new(o->server, NULL, NULL);
req->fullpath="/";
snprintf(tmp,sizeof(tmp)," sessionid=xx%sxx;",lastsessionid);
strcpy(tmp2,"Cookie:");
for(i=0;i<64;i++)
strncat(tmp2, tmp, sizeof(tmp2));
snprintf(tmp,sizeof(tmp)," sessionid=%s\n",lastsessionid);
strncat(tmp2, tmp, sizeof(tmp2));
ONION_DEBUG("Set cookies (%d bytes): %s",strlen(tmp2),tmp2);
strcpy(tmp,"GET /\n");
onion_request_write(req,tmp,strlen(tmp)); // Here is the problem, at parsing too long headers
onion_request_write(req,tmp2,strlen(tmp2)); // Here is the problem, at parsing too long headers
onion_request_write(req,"\n",1);
//onion_dict_add(req->headers, "Cookie", tmp2, 0);
onion_request_process(req);
FAIL_IF_NOT_EQUAL_INT(onion_dict_count(o->server->sessions->sessions), 1);
FAIL_IF_EQUAL_STR(lastsessionid,"");
FAIL_IF_NOT_EQUAL_STR(lastsessionid, sessionid);
FAIL_IF_NOT(has_set_cookie);
onion_request_free(req);
onion_free(o);
END_LOCAL();
}
void t01_listen_port() {
INIT_LOCAL();
if (!geteuid()) {
// current user is root
// set user to nobody
struct passwd * pwd = calloc(1, sizeof(struct passwd));
FAIL_IF_NOT(pwd);
size_t buffer_length = sysconf(_SC_GETPW_R_SIZE_MAX);
FAIL_IF_NOT(buffer_length > 0);
char * buffer = malloc(buffer_length * sizeof(char));
FAIL_IF_NOT(buffer);
int lookup_result = getpwnam_r("nobody", pwd, buffer, buffer_length, &pwd);
FAIL_IF(lookup_result);
FAIL_IF_NOT(pwd);
int setuid_result = setuid(pwd->pw_uid);
FAIL_IF(setuid_result);
free(pwd);
free(buffer);
}
// current user is not root
// it has no permissions to bind to port 88
t01_server=onion_new(O_THREADED);
onion_set_max_threads(t01_server, 2);
t01_errors_count=0;
t01_failed=false;
onion_log=t01_listen_port_error_handler;
onion_set_port(t01_server, "88");
onion_listen(t01_server);
onion_free(t01_server);
FAIL_IF(t01_failed);
END_LOCAL();
}
static int DetectHttpUriIsdataatParseTest(void)
{
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
Signature *s = DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any ("
"content:\"one\"; http_uri; "
"isdataat:!4,relative; sid:1;)");
FAIL_IF_NULL(s);
SigMatch *sm = s->init_data->smlists_tail[g_http_uri_buffer_id];
FAIL_IF_NULL(sm);
FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
DetectEngineCtxFree(de_ctx);
PASS;
}
void t02_websocket_server_w_ws() {
INIT_LOCAL();
memset(&ws_status, 0, sizeof(ws_status));
onion *o = websocket_server_new();
onion_request *req = onion_request_new(onion_get_listen_point(o, 0));
onion_request_write0(req,
"GET /\nUpgrade: websocket\nSec-Websocket-Version: 13\nSec-Websocket-Key: My-key\n\n");
onion_request_process(req);
FAIL_IF_NOT(ws_status.is_connected);
FAIL_IF_NOT_EQUAL_INT(ws_status.connected, 1);
onion_request_free(req);
onion_free(o);
END_LOCAL();
}
void t01_create_add_free(){
INIT_LOCAL();
onion_request *req;
int ok;
req=onion_request_new(custom_io);
FAIL_IF_EQUAL(req,NULL);
ok=REQ_WRITE(req, "GET / HTTP/1.1\n");
FAIL_IF_NOT(ok);
onion_request_free(req);
END_LOCAL();
}
void t02_cookies(){
INIT_LOCAL();
onion_response *res=onion_response_new(NULL);
onion_dict *h=onion_response_get_headers(res);
onion_response_add_cookie(res, "key1", "value1", -1, NULL, NULL, 0);
FAIL_IF_NOT_EQUAL_STR(onion_dict_get(h, "Set-Cookie"), "key1=value1");
onion_dict_remove(h, "Set-Cookie");
onion_response_add_cookie(res, "key2", "value2", -1, "/", "*.example.org", OC_HTTP_ONLY|OC_SECURE);
FAIL_IF_NOT_EQUAL_STR(onion_dict_get(h, "Set-Cookie"), "key2=value2; path=/; domain=*.example.org; HttpOnly; Secure");
onion_dict_remove(h, "Set-Cookie");
onion_response_add_cookie(res, "key3", "value3", 0, "/", "*.example.org", OC_HTTP_ONLY|OC_SECURE);
FAIL_IF_NOT_EQUAL_STR(onion_dict_get(h, "Set-Cookie"), "key3=value3; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; domain=*.example.org; HttpOnly; Secure");
onion_dict_remove(h, "Set-Cookie");
onion_response_add_cookie(res, "key4", "value4", 60, "/", "*.example.org", OC_HTTP_ONLY|OC_SECURE);
FAIL_IF_EQUAL_STR(onion_dict_get(h, "Set-Cookie"), "key4=value4; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; domain=*.example.org; HttpOnly; Secure");
FAIL_IF_EQUAL_STR(onion_dict_get(h, "Set-Cookie"), "key4=value4; domain=*.example.org; HttpOnly; path=/; Secure");
int i;
int valid_expires=0;
char tmpdate[100];
const char *setcookie=onion_dict_get(h, "Set-Cookie");
for(i=59;i<62;i++){
struct tm *tmp;
time_t t=time(NULL) + i;
tmp = localtime(&t);
strftime(tmpdate, sizeof(tmpdate), "key4=value4; expires=%a, %d %b %Y %H:%M:%S %Z; path=/; domain=*.example.org; HttpOnly; Secure", tmp);
ONION_DEBUG("\ntest %s =? \nonion %s", tmpdate, setcookie);
if (strcmp(tmpdate, setcookie)==0)
valid_expires=1;
}
FAIL_IF_NOT(valid_expires);
onion_response_free(res);
END_LOCAL();
}
void t01_stop_listening(){
INIT_LOCAL();
signal(SIGTERM, shutdown_server);
o=onion_new(O_POOL);
pthread_t th;
pthread_create(&th, NULL, listen_thread_f, NULL);
sleep(2);
FAIL_IF_NOT(ok_listening);
kill(getpid(), SIGTERM);
sleep(2);
FAIL_IF(ok_listening);
pthread_join(th, NULL);
onion_free(o);
END_LOCAL();
}
/**
* Test a DCE ethernet frame that is too small.
*/
static int DecodeEthernetTestDceTooSmall(void)
{
uint8_t raw_eth[] = {
0x00, 0x10, 0x94, 0x55, 0x00, 0x01, 0x00, 0x10,
0x94, 0x56, 0x00, 0x01, 0x89, 0x03,
};
Packet *p = SCMalloc(SIZE_OF_PACKET);
FAIL_IF_NULL(p);
ThreadVars tv;
DecodeThreadVars dtv;
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&tv, 0, sizeof(ThreadVars));
memset(p, 0, SIZE_OF_PACKET);
DecodeEthernet(&tv, &dtv, p, raw_eth, sizeof(raw_eth), NULL);
FAIL_IF_NOT(ENGINE_ISSET_EVENT(p, DCE_PKT_TOO_SMALL));
SCFree(p);
PASS;
}
/**
* \test Test matching on a simple google.com SNI with pcre
*/
static int DetectTlsSniTest02(void)
{
/* client hello */
uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x82, 0x01, 0x00, 0x00, 0x7E,
0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87,
0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31,
0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC,
0x0E, 0x79, 0xFE, 0xC3, 0x97, 0x37, 0xC0, 0x00, 0x00,
0x44, 0x00, 0x04, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0D,
0x00, 0x10, 0x00, 0x13, 0x00, 0x16, 0x00, 0x2F, 0x00,
0x30, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x35,
0x00, 0x36, 0x00, 0x37, 0x00, 0x38, 0x00, 0x39, 0x00,
0x3C, 0x00, 0x3D, 0x00, 0x3E, 0x00, 0x3F, 0x00, 0x40,
0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x66, 0x00,
0x67, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6A, 0x00, 0x6B,
0x00, 0x84, 0x00, 0x87, 0x00, 0xFF, 0x01, 0x00, 0x00,
0x13, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x0D, 0x00, 0x00,
0x0A, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x65, 0x2E, 0x63,
0x6F, 0x6D, };
Flow f;
SSLState *ssl_state = NULL;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
TcpSession ssn;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1",
41424, 443);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.flags |= FLOW_IPV4;
f.proto = IPPROTO_TCP;
f.protomap = FlowGetProtoMapping(f.proto);
p->flow = &f;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
p->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
"(msg:\"Test tls_sni option\"; "
"tls_sni; content:\"google\"; nocase; "
"pcre:\"/google\\.com$/i\"; sid:1;)");
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
"(msg:\"Test tls_sni option\"; "
"tls_sni; content:\"google\"; nocase; "
"pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, buf, sizeof(buf));
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
ssl_state = f.alstate;
FAIL_IF_NULL(ssl_state);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
FAIL_IF_NOT(PacketAlertCheck(p, 1));
FAIL_IF_NOT(PacketAlertCheck(p, 2));
AppLayerParserThreadCtxFree(alp_tctx);
DetectEngineThreadCtxDeinit(&tv, det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePacket(p);
PASS;
}
static int FlowBitsTestSig06(void)
{
uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.1\r\n"
"Host: one.example.org\r\n"
"\r\n";
uint16_t buflen = strlen((char *)buf);
Packet *p = SCMalloc(SIZE_OF_PACKET);
FAIL_IF_NULL(p);
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
DetectEngineCtx *de_ctx = NULL;
Flow f;
GenericVar flowvar, *gv = NULL;
int result = 0;
int idx = 0;
memset(p, 0, SIZE_OF_PACKET);
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(Flow));
memset(&flowvar, 0, sizeof(GenericVar));
FLOW_INITIALIZE(&f);
p->flow = &f;
p->flow->flowvar = &flowvar;
p->src.family = AF_INET;
p->dst.family = AF_INET;
p->payload = buf;
p->payload_len = buflen;
p->proto = IPPROTO_TCP;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit set\"; flowbits:set,myflow; sid:10;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_FLOW_BIT);
gv = p->flow->flowvar;
for ( ; gv != NULL; gv = gv->next) {
if (gv->type == DETECT_FLOWBITS && gv->idx == idx) {
result = 1;
}
}
FAIL_IF_NOT(result);
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
if(gv) GenericVarFree(gv);
FLOW_DESTROY(&f);
SCFree(p);
PASS;
}
/**
* \test Test matching for google in the issuer of a certificate
*
*/
static int DetectTlsIssuerTest02(void)
{
/* client hello */
uint8_t client_hello[] = {
0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
0x03, 0x04, 0x02, 0x02, 0x02
};
/* server hello */
uint8_t server_hello[] = {
0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
0x0b, 0x00, 0x02, 0x01, 0x00
};
/* certificate */
uint8_t certificate[] = {
0x16, 0x03, 0x03, 0x04, 0x93, 0x0b, 0x00, 0x04,
0x8f, 0x00, 0x04, 0x8c, 0x00, 0x04, 0x89, 0x30,
0x82, 0x04, 0x85, 0x30, 0x82, 0x03, 0x6d, 0xa0,
0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x5c, 0x19,
0xb7, 0xb1, 0x32, 0x3b, 0x1c, 0xa1, 0x30, 0x0d,
0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x49, 0x31,
0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11,
0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x47,
0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
0x63, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55,
0x04, 0x03, 0x13, 0x1c, 0x47, 0x6f, 0x6f, 0x67,
0x6c, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72,
0x6e, 0x65, 0x74, 0x20, 0x41, 0x75, 0x74, 0x68,
0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x37,
0x31, 0x33, 0x31, 0x33, 0x32, 0x34, 0x35, 0x32,
0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x30,
0x35, 0x31, 0x33, 0x31, 0x36, 0x30, 0x30, 0x5a,
0x30, 0x65, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14,
0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d,
0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20,
0x56, 0x69, 0x65, 0x77, 0x31, 0x13, 0x30, 0x11,
0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x47,
0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55,
0x04, 0x03, 0x0c, 0x0b, 0x2a, 0x2e, 0x67, 0x6f,
0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
0xa5, 0x0a, 0xb9, 0xb1, 0xca, 0x36, 0xd1, 0xae,
0x22, 0x38, 0x07, 0x06, 0xc9, 0x1a, 0x56, 0x4f,
0xbb, 0xdf, 0xa8, 0x6d, 0xbd, 0xee, 0x76, 0x16,
0xbc, 0x53, 0x3c, 0x03, 0x6a, 0x5c, 0x94, 0x50,
0x87, 0x2f, 0x28, 0xb4, 0x4e, 0xd5, 0x9b, 0x8f,
0xfe, 0x02, 0xde, 0x2a, 0x83, 0x01, 0xf9, 0x45,
0x61, 0x0e, 0x66, 0x0e, 0x24, 0x22, 0xe2, 0x59,
0x66, 0x0d, 0xd3, 0xe9, 0x77, 0x8a, 0x7e, 0x42,
0xaa, 0x5a, 0xf9, 0x05, 0xbf, 0x30, 0xc7, 0x03,
0x2b, 0xdc, 0xa6, 0x9c, 0xe0, 0x9f, 0x0d, 0xf1,
0x28, 0x19, 0xf8, 0xf2, 0x02, 0xfa, 0xbd, 0x62,
0xa0, 0xf3, 0x02, 0x2b, 0xcd, 0xf7, 0x09, 0x04,
0x3b, 0x52, 0xd8, 0x65, 0x4b, 0x4a, 0x70, 0xe4,
0x57, 0xc9, 0x2e, 0x2a, 0xf6, 0x9c, 0x6e, 0xd8,
0xde, 0x01, 0x52, 0xc9, 0x6f, 0xe9, 0xef, 0x82,
0xbc, 0x0b, 0x95, 0xb2, 0xef, 0xcb, 0x91, 0xa6,
0x0b, 0x2d, 0x14, 0xc6, 0x00, 0xa9, 0x33, 0x86,
0x64, 0x00, 0xd4, 0x92, 0x19, 0x53, 0x3d, 0xfd,
0xcd, 0xc6, 0x1a, 0xf2, 0x0e, 0x67, 0xc2, 0x1d,
0x2c, 0xe0, 0xe8, 0x29, 0x97, 0x1c, 0xb6, 0xc4,
0xb2, 0x02, 0x0c, 0x83, 0xb8, 0x60, 0x61, 0xf5,
0x61, 0x2d, 0x73, 0x5e, 0x85, 0x4d, 0xbd, 0x0d,
0xe7, 0x1a, 0x37, 0x56, 0x8d, 0xe5, 0x50, 0x0c,
0xc9, 0x64, 0x4c, 0x11, 0xea, 0xf3, 0xcb, 0x26,
0x34, 0xbd, 0x02, 0xf5, 0xc1, 0xfb, 0xa2, 0xec,
0x27, 0xbb, 0x60, 0xbe, 0x0b, 0xf6, 0xe7, 0x3c,
0x2d, 0xc9, 0xe7, 0xb0, 0x30, 0x28, 0x17, 0x3d,
0x90, 0xf1, 0x63, 0x8e, 0x49, 0xf7, 0x15, 0x78,
0x21, 0xcc, 0x45, 0xe6, 0x86, 0xb2, 0xd8, 0xb0,
0x2e, 0x5a, 0xb0, 0x58, 0xd3, 0xb6, 0x11, 0x40,
0xae, 0x81, 0x1f, 0x6b, 0x7a, 0xaf, 0x40, 0x50,
0xf9, 0x2e, 0x81, 0x8b, 0xec, 0x26, 0x11, 0x3f,
0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01,
0x53, 0x30, 0x82, 0x01, 0x4f, 0x30, 0x1d, 0x06,
0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14,
0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
0x05, 0x07, 0x03, 0x02, 0x30, 0x21, 0x06, 0x03,
0x55, 0x1d, 0x11, 0x04, 0x1a, 0x30, 0x18, 0x82,
0x0b, 0x2a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
0x65, 0x2e, 0x6e, 0x6f, 0x82, 0x09, 0x67, 0x6f,
0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
0x68, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
0x07, 0x01, 0x01, 0x04, 0x5c, 0x30, 0x5a, 0x30,
0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
0x07, 0x30, 0x02, 0x86, 0x1f, 0x68, 0x74, 0x74,
0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
0x2e, 0x63, 0x72, 0x74, 0x30, 0x2b, 0x06, 0x08,
0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73,
0x31, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73,
0x70, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
0x04, 0x16, 0x04, 0x14, 0xc6, 0x53, 0x87, 0x42,
0x2d, 0xc8, 0xee, 0x7a, 0x62, 0x1e, 0x83, 0xdb,
0x0d, 0xe2, 0x32, 0xeb, 0x8b, 0xaf, 0x69, 0x40,
0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f,
0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,
0x16, 0x80, 0x14, 0x4a, 0xdd, 0x06, 0x16, 0x1b,
0xbc, 0xf6, 0x68, 0xb5, 0x76, 0xf5, 0x81, 0xb6,
0xbb, 0x62, 0x1a, 0xba, 0x5a, 0x81, 0x2f, 0x30,
0x21, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x1a,
0x30, 0x18, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06,
0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x05, 0x01,
0x30, 0x08, 0x06, 0x06, 0x67, 0x81, 0x0c, 0x01,
0x02, 0x02, 0x30, 0x30, 0x06, 0x03, 0x55, 0x1d,
0x1f, 0x04, 0x29, 0x30, 0x27, 0x30, 0x25, 0xa0,
0x23, 0xa0, 0x21, 0x86, 0x1f, 0x68, 0x74, 0x74,
0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d, 0x06, 0x09,
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
0x7b, 0x27, 0x00, 0x46, 0x8f, 0xfd, 0x5b, 0xff,
0xcb, 0x05, 0x9b, 0xf7, 0xf1, 0x68, 0xf6, 0x9a,
0x7b, 0xba, 0x53, 0xdf, 0x63, 0xed, 0x11, 0x94,
0x39, 0xf2, 0xd0, 0x20, 0xcd, 0xa3, 0xc4, 0x98,
0xa5, 0x10, 0x74, 0xe7, 0x10, 0x6d, 0x07, 0xf8,
0x33, 0x87, 0x05, 0x43, 0x0e, 0x64, 0x77, 0x09,
0x18, 0x4f, 0x38, 0x2e, 0x45, 0xae, 0xa8, 0x34,
0x3a, 0xa8, 0x33, 0xac, 0x9d, 0xdd, 0x25, 0x91,
0x59, 0x43, 0xbe, 0x0f, 0x87, 0x16, 0x2f, 0xb5,
0x27, 0xfd, 0xce, 0x2f, 0x35, 0x5d, 0x12, 0xa1,
0x66, 0xac, 0xf7, 0x95, 0x38, 0x0f, 0xe5, 0xb1,
0x18, 0x18, 0xe6, 0x80, 0x52, 0x31, 0x8a, 0x66,
0x02, 0x52, 0x1a, 0xa4, 0x32, 0x6a, 0x61, 0x05,
0xcf, 0x1d, 0xf9, 0x90, 0x73, 0xf0, 0xeb, 0x20,
0x31, 0x7b, 0x2e, 0xc0, 0xb0, 0xfb, 0x5c, 0xcc,
0xdc, 0x76, 0x55, 0x72, 0xaf, 0xb1, 0x05, 0xf4,
0xad, 0xf9, 0xd7, 0x73, 0x5c, 0x2c, 0xbf, 0x0d,
0x84, 0x18, 0x01, 0x1d, 0x4d, 0x08, 0xa9, 0x4e,
0x37, 0xb7, 0x58, 0xc4, 0x05, 0x0e, 0x65, 0x63,
0xd2, 0x88, 0x02, 0xf5, 0x82, 0x17, 0x08, 0xd5,
0x8f, 0x80, 0xc7, 0x82, 0x29, 0xbb, 0xe1, 0x04,
0xbe, 0xf6, 0xe1, 0x8c, 0xbc, 0x3a, 0xf8, 0xf9,
0x56, 0xda, 0xdc, 0x8e, 0xc6, 0xe6, 0x63, 0x98,
0x12, 0x08, 0x41, 0x2c, 0x9d, 0x7c, 0x82, 0x0d,
0x1e, 0xea, 0xba, 0xde, 0x32, 0x09, 0xda, 0x52,
0x24, 0x4f, 0xcc, 0xb6, 0x09, 0x33, 0x8b, 0x00,
0xf9, 0x83, 0xb3, 0xc6, 0xa4, 0x90, 0x49, 0x83,
0x2d, 0x36, 0xd9, 0x11, 0x78, 0xd0, 0x62, 0x9f,
0xc4, 0x8f, 0x84, 0xba, 0x7f, 0xaa, 0x04, 0xf1,
0xd9, 0xa4, 0xad, 0x5d, 0x63, 0xee, 0x72, 0xc6,
0x4d, 0xd1, 0x4b, 0x41, 0x8f, 0x40, 0x0f, 0x7d,
0xcd, 0xb8, 0x2e, 0x5b, 0x6e, 0x21, 0xc9, 0x3d
};
Flow f;
SSLState *ssl_state = NULL;
TcpSession ssn;
Packet *p1 = NULL;
Packet *p2 = NULL;
Packet *p3 = NULL;
Signature *s = NULL;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1", 51251, 443);
p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
"192.168.1.1", "192.168.1.5", 443, 51251);
p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP,
"192.168.1.1", "192.168.1.5", 443, 51251);
FLOW_INITIALIZE(&f);
f.flags |= FLOW_IPV4;
f.proto = IPPROTO_TCP;
f.protomap = FlowGetProtoMapping(f.proto);
f.alproto = ALPROTO_TLS;
p1->flow = &f;
p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->pcap_cnt = 1;
p2->flow = &f;
p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
p2->flowflags |= FLOW_PKT_TOCLIENT;
p2->flowflags |= FLOW_PKT_ESTABLISHED;
p2->pcap_cnt = 2;
p3->flow = &f;
p3->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
p3->flowflags |= FLOW_PKT_TOCLIENT;
p3->flowflags |= FLOW_PKT_ESTABLISHED;
p3->pcap_cnt = 3;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
"(msg:\"Test tls_cert_issuer\"; "
"tls_cert_issuer; content:\"google\"; nocase; "
"sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, client_hello,
sizeof(client_hello));
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
ssl_state = f.alstate;
FAIL_IF_NULL(ssl_state);
SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
FAIL_IF(PacketAlertCheck(p1, 1));
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
server_hello, sizeof(server_hello));
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
FAIL_IF(PacketAlertCheck(p2, 1));
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
certificate, sizeof(certificate));
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
FAIL_IF_NOT(PacketAlertCheck(p3, 1));
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL)
DetectEngineThreadCtxDeinit(&tv, det_ctx);
if (de_ctx != NULL)
SigGroupCleanup(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePacket(p1);
UTHFreePacket(p2);
UTHFreePacket(p3);
PASS;
}
static int DetectSslVersionTestDetect02(void)
{
Flow f;
uint8_t sslbuf1[] = { 0x16 };
uint32_t ssllen1 = sizeof(sslbuf1);
uint8_t sslbuf2[] = { 0x03 };
uint32_t ssllen2 = sizeof(sslbuf2);
uint8_t sslbuf3[] = { 0x01 };
uint32_t ssllen3 = sizeof(sslbuf3);
uint8_t sslbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x02 };
uint32_t ssllen4 = sizeof(sslbuf4);
TcpSession ssn;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; ssl_version:tls1.0; sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, sslbuf1, ssllen1);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
sslbuf2, ssllen2);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
sslbuf3, ssllen3);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
sslbuf4, ssllen4);
FAIL_IF(r != 0);
FLOWLOCK_UNLOCK(&f);
SSLState *app_state = f.alstate;
FAIL_IF_NULL(app_state);
FAIL_IF(app_state->client_connp.content_type != 0x16);
FAIL_IF(app_state->client_connp.version != TLS_VERSION_10);
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF_NOT(PacketAlertCheck(p, 1));
AppLayerParserThreadCtxFree(alp_tctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
PASS;
}
bool Expr::operator()() {
PARSER_FLOW_TRACER();
FAIL_IF_NOT(parseExpression());
return true;
}
static int DetectHttpRequestLineWrapper(const char *sig, const int expectation)
{
TcpSession ssn;
Packet *p = NULL;
ThreadVars th_v;
DetectEngineCtx *de_ctx = NULL;
DetectEngineThreadCtx *det_ctx = NULL;
HtpState *http_state = NULL;
Flow f;
uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
"Host: www.openinfosecfoundation.org\r\n"
"User-Agent: This is dummy message body\r\n"
"Content-Type: text/html\r\n"
"\r\n";
uint32_t http_len = sizeof(http_buf) - 1;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
FAIL_IF_NULL(alp_tctx);
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FAIL_IF_NULL(p);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
f.flags |= FLOW_IPV4;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, sig);
FAIL_IF_NULL(de_ctx->sig_list);
int sid = de_ctx->sig_list->id;
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
int r = AppLayerParserParse(&th_v, alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
FAIL_IF(r != 0);
http_state = f.alstate;
FAIL_IF_NULL(http_state);
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
r = PacketAlertCheck(p, sid);
FAIL_IF_NOT(r == expectation);
AppLayerParserThreadCtxFree(alp_tctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
PASS;
}
bool Expr::parseExpression() {
PARSER_FLOW_TRACER();
FAIL_IF_NOT(parseRelationalExpression());
return true;
}
// This fixes that whenever a session is created, but no new data is added, it does not set the proper cookie, and should not create a new session.
void t03_bug_empty_session_is_new_session(){
INIT_LOCAL();
onion *o=onion_new(O_ONE_LOOP);
onion_server_set_write(o->server, empty_write);
onion_url *url=onion_root_url(o);
onion_url_add(url, "^.*", ask_session);
char sessionid[256];
char tmp[256];
set_data_on_session=1;
onion_request *req=onion_request_new(o->server, NULL, NULL);
req->fullpath="/";
onion_request_process(req);
FAIL_IF_EQUAL_STR(lastsessionid,"");
strcpy(sessionid, lastsessionid);
req->fullpath=NULL;
onion_request_free(req);
FAIL_IF_NOT_EQUAL_INT(onion_dict_count(o->server->sessions->sessions), 1);
req=onion_request_new(o->server, NULL, NULL);
req->fullpath="/";
onion_dict_add(req->headers, "Cookie", "sessionid=xxx", 0);
onion_request_process(req);
FAIL_IF_EQUAL_STR(lastsessionid,"");
FAIL_IF_EQUAL_STR(lastsessionid, sessionid);
FAIL_IF_NOT(has_set_cookie);
req->fullpath=NULL;
onion_request_free(req);
FAIL_IF_NOT_EQUAL_INT(onion_dict_count(o->server->sessions->sessions), 2);
req=onion_request_new(o->server, NULL, NULL);
req->fullpath="/";
snprintf(tmp,sizeof(tmp),"sessionid=%s",lastsessionid);
onion_dict_add(req->headers, "Cookie", tmp, 0);
onion_request_process(req);
FAIL_IF_EQUAL_STR(lastsessionid,"");
FAIL_IF_EQUAL_STR(lastsessionid, sessionid);
FAIL_IF_NOT(has_set_cookie);
strcpy(sessionid, lastsessionid);
req->fullpath=NULL;
onion_request_free(req);
FAIL_IF_NOT_EQUAL_INT(onion_dict_count(o->server->sessions->sessions), 2);
req=onion_request_new(o->server, NULL, NULL);
req->fullpath="/";
snprintf(tmp,sizeof(tmp),"sessionid=%sxx",lastsessionid);
onion_dict_add(req->headers, "Cookie", tmp, 0);
onion_request_process(req);
FAIL_IF_EQUAL_STR(lastsessionid,"");
FAIL_IF_EQUAL_STR(lastsessionid, sessionid);
FAIL_IF_NOT(has_set_cookie);
req->fullpath=NULL;
onion_request_free(req);
FAIL_IF_NOT_EQUAL_INT(onion_dict_count(o->server->sessions->sessions), 3);
// Ask for new, without session data, but I will not set data on session, so session is not created.
set_data_on_session=0;
req=onion_request_new(o->server, NULL, NULL);
req->fullpath="/";
onion_request_process(req);
FAIL_IF_EQUAL_STR(lastsessionid,"");
strcpy(sessionid, lastsessionid);
req->fullpath=NULL;
FAIL_IF_NOT_EQUAL_INT(onion_dict_count(o->server->sessions->sessions), 4); // For a moment it exists, until onion realizes is not necesary.
onion_request_free(req);
FAIL_IF_NOT_EQUAL_INT(onion_dict_count(o->server->sessions->sessions), 3);
onion_free(o);
END_LOCAL();
}
