/** * \brief UTHGenericTest: function that perfom a generic check taking care of * as maximum common unittest elements as possible. * It will create a detection engine, append an array * of signatures an check the spected results for each * of them, it check matches for an array of packets * * \param pkt pointer to the array of packets * \param numpkts number of packets to match * \param sigs array of char* pointing to signatures to load * \param numsigs number of signatures to load and check * \param results pointer to arrays of numbers, each of them foreach packet * to check if sids matches that packet as expected with * that number of times or not. The size of results should be * numpkts * numsigs * sizeof(uint16_t *) * * Example: * result[1][3] would mean the number of times the pkt[1] * match the sid[3] * * \retval int 1 if the match of all the sids is the specified has the * specified results; 0 if not */ int UTHGenericTest(Packet **pkt, int numpkts, char *sigs[], uint32_t sids[], uint32_t *results, int numsigs) { int result = 0; if (pkt == NULL || sigs == NULL || numpkts == 0 || sids == NULL || results == NULL || numsigs == 0) { SCLogError(SC_ERR_INVALID_ARGUMENT, "Arguments invalid, that the pointer/arrays are not NULL, and the number of signatures and packets is > 0"); goto end; } DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { goto end; } de_ctx->flags |= DE_QUIET; if (UTHAppendSigs(de_ctx, sigs, numsigs) == 0) goto cleanup; result = UTHMatchPacketsWithResults(de_ctx, pkt, numpkts, sids, results, numsigs); cleanup: if (de_ctx != NULL) { SigGroupCleanup(de_ctx); SigCleanSignatures(de_ctx); DetectEngineCtxFree(de_ctx); } end: return result; }
/** * \test DetectFlowintTestPacket03Real * \brief Check the behaviour of isset/notset */ int DetectFlowintTestPacket03Real() { Packet *p = NULL; ThreadVars th_v; DetectEngineThreadCtx *det_ctx = NULL; memset(&th_v, 0, sizeof(th_v)); DetectEngineCtx *de_ctx = DetectEngineCtxInit(); FAIL_IF(de_ctx == NULL); de_ctx->flags |= DE_QUIET; char *sigs[3]; sigs[0] = "alert tcp any any -> any any (msg:\"check notset\"; content:\"GET\"; flowint: myvar, notset; flowint: myvar,=,0; flowint: other,=,10; sid:101;)"; sigs[1] = "alert tcp any any -> any any (msg:\"check isset\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: other,isset; sid:102;)"; sigs[2] = "alert tcp any any -> any any (msg:\"check notset\"; content:\"Unauthorized\"; flowint:lala,isset; sid:103;)"; FAIL_IF(UTHAppendSigs(de_ctx, sigs, 3) == 0); SCSigRegisterSignatureOrderingFuncs(de_ctx); SCSigOrderSignatures(de_ctx); SCSigSignatureOrderingModuleCleanup(de_ctx); SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v,(void *) de_ctx,(void *) &det_ctx); Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80); FAIL_IF(f == NULL); f->proto = IPPROTO_TCP; p = UTHBuildPacket((uint8_t *)"GET", 3, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); FAIL_IF(!PacketAlertCheck(p, 101)); UTHFreePacket(p); p = UTHBuildPacket((uint8_t *)"Unauthorized", 12, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); FAIL_IF(!PacketAlertCheck(p, 102)); FAIL_IF(PacketAlertCheck(p, 103)); UTHFreePacket(p); p = UTHBuildPacket((uint8_t *)"1", 1, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); FAIL_IF(PacketAlertCheck(p, 102)); FAIL_IF(PacketAlertCheck(p, 103)); UTHFreePacket(p); UTHFreeFlow(f); DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx); DetectEngineCtxFree(de_ctx); PASS; }
/** * \test DetectFlowintTestPacket02Real * \brief like DetectFlowintTestPacket01Real but using isset/notset keywords */ static int DetectFlowintTestPacket02Real() { Packet *p = NULL; ThreadVars th_v; DetectEngineThreadCtx *det_ctx = NULL; memset(&th_v, 0, sizeof(th_v)); DetectEngineCtx *de_ctx = DetectEngineCtxInit(); FAIL_IF(de_ctx == NULL); de_ctx->flags |= DE_QUIET; char *sigs[5]; sigs[0] = "alert tcp any any -> any any (msg:\"Setting a flowint counter\"; content:\"GET\"; flowint: myvar, notset; flowint:maxvar,notset; flowint: myvar,=,1; flowint: maxvar,=,6; sid:101;)"; sigs[1] = "alert tcp any any -> any any (msg:\"Adding to flowint counter\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: myvar,+,2; sid:102;)"; sigs[2] = "alert tcp any any -> any any (msg:\"if the flowint counter is 3 create a new counter\"; content:\"Unauthorized\"; flowint: myvar, isset; flowint: myvar,==,3; flowint:cntpackets,notset; flowint: cntpackets, =, 0; sid:103;)"; sigs[3] = "alert tcp any any -> any any (msg:\"and count the rest of the packets received without generating alerts!!!\"; flowint: cntpackets,isset; flowint: cntpackets, +, 1; noalert;sid:104;)"; sigs[4] = "alert tcp any any -> any any (msg:\" and fire this when it reach 6\"; flowint: cntpackets, isset; flowint: maxvar,isset; flowint: cntpackets, ==, maxvar; sid:105;)"; FAIL_IF(UTHAppendSigs(de_ctx, sigs, 5) == 0); SCSigRegisterSignatureOrderingFuncs(de_ctx); SCSigOrderSignatures(de_ctx); SCSigSignatureOrderingModuleCleanup(de_ctx); SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v,(void *) de_ctx,(void *) &det_ctx); Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80); FAIL_IF(f == NULL); f->proto = IPPROTO_TCP; p = UTHBuildPacket((uint8_t *)"GET", 3, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); FAIL_IF(!PacketAlertCheck(p, 101)); UTHFreePacket(p); p = UTHBuildPacket((uint8_t *)"Unauthorized", 12, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); FAIL_IF(!PacketAlertCheck(p, 102)); FAIL_IF(!PacketAlertCheck(p, 103)); UTHFreePacket(p); p = UTHBuildPacket((uint8_t *)"1", 1, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); UTHFreePacket(p); p = UTHBuildPacket((uint8_t *)"X", 1, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); FAIL_IF(!PacketAlertCheck(p, 105)); UTHFreePacket(p); UTHFreeFlow(f); DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx); DetectEngineCtxFree(de_ctx); PASS; }