/**
* \test DetectDetectionFilterTestSig1 is a test for checking the working of detection_filter keyword
* by setting up the signature and later testing its working by matching
* the received packet against the sig.
*
* \retval 1 on succces
* \retval 0 on failure
*/
static int DetectDetectionFilterTestSig1(void) {
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
HostInitConfig(HOST_QUIET);
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"detection_filter Test\"; detection_filter: track by_dst, count 4, seconds 60; sid:1;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
if(alerts == 4)
result = 1;
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
UTHFreePackets(&p, 1);
HostShutdown();
return result;
}
/**
* \brief UTHBuildPacket is a wrapper that build packets with default ip
* and port fields
*
* \param payload pointer to the payloadd buffer
* \param payload_len pointer to the length of the payload
* \param ipproto Protocols allowed atm are IPPROTO_TCP and IPPROTO_UDP
*
* \retval Packet pointer to the built in packet
*/
Packet *UTHBuildPacket(uint8_t *payload, uint16_t payload_len,
uint8_t ipproto)
{
return UTHBuildPacketReal(payload, payload_len, ipproto,
"192.168.1.5", "192.168.1.1",
41424, 80);
}
/**
* \brief UTHBuildPacketSrcDst is a wrapper that build packets specifying IPs
* and defaulting ports
*
* \param payload pointer to the payloadd buffer
* \param payload_len pointer to the length of the payload
* \param ipproto Protocols allowed atm are IPPROTO_TCP and IPPROTO_UDP
*
* \retval Packet pointer to the built in packet
*/
Packet *UTHBuildPacketSrcDst(uint8_t *payload, uint16_t payload_len,
uint8_t ipproto, char *src, char *dst)
{
return UTHBuildPacketReal(payload, payload_len, ipproto,
src, dst,
41424, 80);
}
/**
* \brief UTHBuildPacketSrcDstPorts is a wrapper that build packets specifying
* src and dst ports and defaulting IPs
*
* \param payload pointer to the payloadd buffer
* \param payload_len pointer to the length of the payload
* \param ipproto Protocols allowed atm are IPPROTO_TCP and IPPROTO_UDP
*
* \retval Packet pointer to the built in packet
*/
Packet *UTHBuildPacketSrcDstPorts(uint8_t *payload, uint16_t payload_len,
uint8_t ipproto, uint16_t sport, uint16_t dport)
{
return UTHBuildPacketReal(payload, payload_len, ipproto,
"192.168.1.5", "192.168.1.1",
sport, dport);
}
/**
* \brief UTHBuildPacketRealTest02 wrapper to check packets for unittests
*/
int UTHBuildPacketRealTest02(void)
{
uint8_t payload[] = "Payload";
Packet *p = UTHBuildPacketReal(payload, sizeof(payload), IPPROTO_UDP,
"192.168.1.5", "192.168.1.1", 41424, 80);
int ret = CheckUTHTestPacket(p, IPPROTO_UDP);
UTHFreePacket(p);
return ret;
}
/**
* \test sig grouping bug.
*/
static int SigGroupHeadTest11(void)
{
int result = 0;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
Signature *s = NULL;
Packet *p = NULL;
DetectEngineThreadCtx *det_ctx = NULL;
ThreadVars th_v;
memset(&th_v, 0, sizeof(ThreadVars));
p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "192.168.1.1", "1.2.3.4", 60000, 80);
if (de_ctx == NULL || p == NULL)
return 0;
s = DetectEngineAppendSig(de_ctx, "alert tcp any 1024: -> any 1024: (content:\"abc\"; sid:1;)");
if (s == NULL) {
goto end;
}
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"def\"; http_client_body; sid:2;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
AddressDebugPrint(&p->dst);
SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
if (sgh == NULL) {
goto end;
}
/* check if hcbd flag is set in sgh */
if (!(sgh->flags & SIG_GROUP_HEAD_MPM_HCBD)) {
printf("sgh has not SIG_GROUP_HEAD_MPM_HCBD flag set: ");
goto end;
}
/* check if sig 2 is part of the sgh */
result = 1;
end:
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
UTHFreePackets(&p, 1);
return result;
}
int StreamTcpUTAddSegmentWithByte(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpStream *stream, uint32_t seq, uint8_t byte, uint16_t len) {
TcpSegment *s = StreamTcpGetSegment(tv, ra_ctx, len);
if (s == NULL) {
return -1;
}
s->seq = seq;
s->payload_len = len;
memset(s->payload, byte, len);
Packet *p = UTHBuildPacketReal(s->payload, s->payload_len, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
if (p == NULL) {
return -1;
}
p->tcph->th_seq = htonl(seq);
if (StreamTcpReassembleInsertSegment(tv, ra_ctx, stream, s, p) < 0)
return -1;
UTHFreePacket(p);
return 0;
}
/** \test simple google.com query matching, pcre */
static int DetectDnsQueryTest06(void)
{
/* google.com */
uint8_t buf[] = { 0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
0x00, 0x10, 0x00, 0x01, };
Flow f;
RSDNSState *dns_state = NULL;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP,
"192.168.1.5", "192.168.1.1",
41424, 53);
FLOW_INITIALIZE(&f);
f.flags |= FLOW_IPV4;
f.proto = IPPROTO_UDP;
f.protomap = FlowGetProtoMapping(f.proto);
p->flow = &f;
p->flags |= PKT_HAS_FLOW;
p->flowflags |= FLOW_PKT_TOSERVER;
f.alproto = ALPROTO_DNS;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; "
"pcre:\"/google\\.com$/i\"; sid:1;)");
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; "
"pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
STREAM_TOSERVER, buf, sizeof(buf));
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
FAIL;
}
FLOWLOCK_UNLOCK(&f);
dns_state = f.alstate;
FAIL_IF_NULL(dns_state);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
if (!(PacketAlertCheck(p, 1))) {
printf("sig 1 didn't alert, but it should have: ");
FAIL;
}
if (!(PacketAlertCheck(p, 2))) {
printf("sig 2 didn't alert, but it should have: ");
FAIL;
}
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL)
DetectEngineThreadCtxDeinit(&tv, det_ctx);
if (de_ctx != NULL)
SigGroupCleanup(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
FLOW_DESTROY(&f);
UTHFreePacket(p);
PASS;
}
/** \test simple google.com query matching (TCP) */
static int DetectDnsQueryTest03(void)
{
/* google.com */
uint8_t buf[] = { 0x00, 28,
0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
0x00, 0x10, 0x00, 0x01, };
int result = 0;
Flow f;
DNSState *dns_state = NULL;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
TcpSession ssn;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1",
41424, 53);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.flags |= FLOW_IPV4;
f.proto = IPPROTO_TCP;
f.protomap = FlowGetProtoMapping(f.proto);
p->flow = &f;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
p->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_DNS;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"content:\"google\"; nocase; dns_query; sid:1;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
SCMutexLock(&f.m);
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER, buf, sizeof(buf));
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
SCMutexUnlock(&f.m);
goto end;
}
SCMutexUnlock(&f.m);
dns_state = f.alstate;
if (dns_state == NULL) {
printf("no dns state: ");
goto end;
}
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
if (!(PacketAlertCheck(p, 1))) {
printf("sig 1 didn't alert, but it should have: ");
goto end;
}
result = 1;
end:
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL)
DetectEngineThreadCtxDeinit(&tv, det_ctx);
if (de_ctx != NULL)
SigGroupCleanup(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePacket(p);
return result;
}
/**
* \test Test matching on a simple google.com SNI with pcre
*/
static int DetectTlsSniTest02(void)
{
/* client hello */
uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x82, 0x01, 0x00, 0x00, 0x7E,
0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87,
0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31,
0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC,
0x0E, 0x79, 0xFE, 0xC3, 0x97, 0x37, 0xC0, 0x00, 0x00,
0x44, 0x00, 0x04, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0D,
0x00, 0x10, 0x00, 0x13, 0x00, 0x16, 0x00, 0x2F, 0x00,
0x30, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x35,
0x00, 0x36, 0x00, 0x37, 0x00, 0x38, 0x00, 0x39, 0x00,
0x3C, 0x00, 0x3D, 0x00, 0x3E, 0x00, 0x3F, 0x00, 0x40,
0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x66, 0x00,
0x67, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6A, 0x00, 0x6B,
0x00, 0x84, 0x00, 0x87, 0x00, 0xFF, 0x01, 0x00, 0x00,
0x13, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x0D, 0x00, 0x00,
0x0A, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x65, 0x2E, 0x63,
0x6F, 0x6D, };
Flow f;
SSLState *ssl_state = NULL;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
TcpSession ssn;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1",
41424, 443);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.flags |= FLOW_IPV4;
f.proto = IPPROTO_TCP;
f.protomap = FlowGetProtoMapping(f.proto);
p->flow = &f;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
p->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
"(msg:\"Test tls_sni option\"; "
"tls_sni; content:\"google\"; nocase; "
"pcre:\"/google\\.com$/i\"; sid:1;)");
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
"(msg:\"Test tls_sni option\"; "
"tls_sni; content:\"google\"; nocase; "
"pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, buf, sizeof(buf));
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
ssl_state = f.alstate;
FAIL_IF_NULL(ssl_state);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
FAIL_IF_NOT(PacketAlertCheck(p, 1));
FAIL_IF_NOT(PacketAlertCheck(p, 2));
AppLayerParserThreadCtxFree(alp_tctx);
DetectEngineThreadCtxDeinit(&tv, det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePacket(p);
PASS;
}
static int DetectThresholdTestSig6Ticks(void) {
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1000\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
uint64_t ticks_start = 0;
uint64_t ticks_end = 0;
ticks_start = UtilCpuGetTicks();
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
ticks_end = UtilCpuGetTicks();
printf("test run %"PRIu64"\n", (ticks_end - ticks_start));
if(alerts == 10)
result = 1;
else
goto cleanup;
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
UTHFreePackets(&p, 1);
return result;
}
/** \test multi tx google.(com|net) query matching +
* app layer event */
static int DetectDnsQueryTest07(void)
{
/* google.com */
uint8_t buf1[] = { 0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
0x00, 0x01, 0x00, 0x01, };
uint8_t buf2[] = { 0x10, 0x32, /* tx id */
0x81, 0x80|0x40, /* flags: resp, recursion desired, recusion available */
0x00, 0x01, /* 1 query */
0x00, 0x01, /* 1 answer */
0x00, 0x00, 0x00, 0x00, /* no auth rr, additional rr */
/* query record */
0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C, /* name */
0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00, /* name cont */
0x00, 0x01, 0x00, 0x01, /* type a, class in */
/* answer */
0xc0, 0x0c, /* ref to name in query above */
0x00, 0x01, 0x00, 0x01, /* type a, class in */
0x00, 0x01, 0x40, 0xef, /* ttl */
0x00, 0x04, /* data len */
0x01, 0x02, 0x03, 0x04 }; /* addr */
/* google.net */
uint8_t buf3[] = { 0x11, 0x33, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x6E, 0x65, 0x74, 0x00,
0x00, 0x10, 0x00, 0x01, };
int result = 0;
Flow f;
DNSState *dns_state = NULL;
Packet *p1 = NULL, *p2 = NULL, *p3 = NULL;
Signature *s = NULL;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
p1 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_UDP,
"192.168.1.5", "192.168.1.1",
41424, 53);
p2 = UTHBuildPacketReal(buf2, sizeof(buf2), IPPROTO_UDP,
"192.168.1.5", "192.168.1.1",
41424, 53);
p3 = UTHBuildPacketReal(buf3, sizeof(buf3), IPPROTO_UDP,
"192.168.1.5", "192.168.1.1",
41424, 53);
FLOW_INITIALIZE(&f);
f.flags |= FLOW_IPV4;
f.proto = IPPROTO_UDP;
f.protomap = FlowGetProtoMapping(f.proto);
f.alproto = ALPROTO_DNS;
p1->flow = &f;
p1->flags |= PKT_HAS_FLOW;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->pcap_cnt = 1;
p2->flow = &f;
p2->flags |= PKT_HAS_FLOW;
p2->flowflags |= FLOW_PKT_TOCLIENT;
p2->pcap_cnt = 2;
p3->flow = &f;
p3->flags |= PKT_HAS_FLOW;
p3->flowflags |= FLOW_PKT_TOSERVER;
p3->pcap_cnt = 3;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.com\"; nocase; sid:1;)");
if (s == NULL) {
goto end;
}
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.net\"; nocase; sid:2;)");
if (s == NULL) {
goto end;
}
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test Z flag event\"; "
"app-layer-event:dns.z_flag_set; sid:3;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
SCMutexLock(&f.m);
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER, buf1, sizeof(buf1));
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
SCMutexUnlock(&f.m);
goto end;
}
SCMutexUnlock(&f.m);
dns_state = f.alstate;
if (dns_state == NULL) {
printf("no dns state: ");
goto end;
}
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
if (!(PacketAlertCheck(p1, 1))) {
printf("(p1) sig 1 didn't alert, but it should have: ");
goto end;
}
if (PacketAlertCheck(p1, 2)) {
printf("(p1) sig 2 did alert, but it should not have: ");
goto end;
}
SCMutexLock(&f.m);
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DNS, STREAM_TOCLIENT, buf2, sizeof(buf2));
if (r != -1) {
printf("toserver client 1 returned %" PRId32 ", expected 0: ", r);
SCMutexUnlock(&f.m);
goto end;
}
SCMutexUnlock(&f.m);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
if (PacketAlertCheck(p2, 1)) {
printf("(p2) sig 1 alerted, but it should not have: ");
goto end;
}
if (PacketAlertCheck(p2, 2)) {
printf("(p2) sig 2 alerted, but it should not have: ");
goto end;
}
if (!(PacketAlertCheck(p2, 3))) {
printf("(p2) sig 3 didn't alert, but it should have: ");
goto end;
}
SCMutexLock(&f.m);
r = AppLayerParserParse(alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER, buf3, sizeof(buf3));
if (r != 0) {
printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
SCMutexUnlock(&f.m);
goto end;
}
SCMutexUnlock(&f.m);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
if (PacketAlertCheck(p3, 1)) {
printf("(p3) sig 1 alerted, but it should not have: ");
goto end;
}
if (!(PacketAlertCheck(p3, 2))) {
printf("(p3) sig 2 didn't alert, but it should have: ");
goto end;
}
/** \todo should not alert, bug #839
if (PacketAlertCheck(p3, 3)) {
printf("(p3) sig 3 did alert, but it should not have: ");
goto end;
}
*/
result = 1;
end:
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL)
DetectEngineThreadCtxDeinit(&tv, det_ctx);
if (de_ctx != NULL)
SigGroupCleanup(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
FLOW_DESTROY(&f);
UTHFreePacket(p1);
UTHFreePacket(p2);
UTHFreePacket(p3);
return result;
}
static int DetectThresholdTestSig3(void) {
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
struct timeval ts;
DetectThresholdData *td = NULL;
DetectThresholdEntry *lookup_tsh = NULL;
DetectThresholdEntry *ste = NULL;
memset (&ts, 0, sizeof(struct timeval));
TimeGet(&ts);
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:10;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
td = SigGetThresholdType(s,p);
/* setup the Entry we use to search our hash with */
ste = SCMalloc(sizeof(DetectThresholdEntry));
if (ste == NULL)
goto end;
memset(ste, 0x00, sizeof(ste));
if (PKT_IS_IPV4(p))
ste->ipv = 4;
else if (PKT_IS_IPV6(p))
ste->ipv = 6;
ste->sid = s->id;
ste->gid = s->gid;
if (td->track == TRACK_DST) {
COPY_ADDRESS(&p->dst, &ste->addr);
} else if (td->track == TRACK_SRC) {
COPY_ADDRESS(&p->src, &ste->addr);
}
ste->track = td->track;
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
lookup_tsh = (DetectThresholdEntry *)HashListTableLookup(de_ctx->ths_ctx.threshold_hash_table_dst, ste, sizeof(DetectThresholdEntry));
if (lookup_tsh == NULL) {
printf("lookup_tsh is NULL: ");
goto cleanup;
}
TimeSetIncrementTime(200);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (lookup_tsh)
alerts = lookup_tsh->current_count;
if (alerts == 3)
result = 1;
else {
printf("alerts %u != 3: ", alerts);
goto cleanup;
}
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
UTHFreePackets(&p, 1);
return result;
}
static int DetectThresholdTestSig4(void) {
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
struct timeval ts;
memset (&ts, 0, sizeof(struct timeval));
TimeGet(&ts);
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold both\"; threshold: type both, track by_dst, count 2, seconds 60; sid:10;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 10);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
TimeSetIncrementTime(200);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
if (alerts == 2)
result = 1;
else
goto cleanup;
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
UTHFreePackets(&p, 1);
return result;
}
static int DetectThresholdTestSig1(void) {
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
if (s->flags & SIG_FLAG_IPONLY) {
printf("signature is ip-only: ");
goto end;
}
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
if(alerts == 5)
result = 1;
else
printf("alerts %"PRIi32", expected 5: ", alerts);
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
UTHFreePackets(&p, 1);
end:
return result;
}
static int DetectThresholdTestSig5(void)
{
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
HostInitConfig(HOST_QUIET);
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1000\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
if(alerts == 10)
result = 1;
else {
printf("alerts %d != 10: ", alerts);
goto cleanup;
}
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
UTHFreePackets(&p, 1);
HostShutdown();
return result;
}
/**
* \test drops
*/
static int DetectDetectionFilterTestSig3(void)
{
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
int drops = 0;
struct timeval ts;
HostInitConfig(HOST_QUIET);
memset (&ts, 0, sizeof(struct timeval));
TimeGet(&ts);
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (msg:\"detection_filter Test 2\"; detection_filter: track by_dst, count 2, seconds 60; sid:10;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 10);
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
p->action = 0;
TimeSetIncrementTime(200);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
p->action = 0;
if (alerts == 3 && drops == 3)
result = 1;
else {
if (alerts != 3)
printf("alerts: %d != 3: ", alerts);
if (drops != 3)
printf("drops: %d != 3: ", drops);
}
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
UTHFreePackets(&p, 1);
HostShutdown();
return result;
}
/** \test simple google.com query matching (TCP splicing) */
static int DetectDnsQueryTest05(void)
{
/* google.com in 2 chunks (buf1 and buf2) */
uint8_t buf1[] = { 0x00, 28, /* len 28 */
0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, };
uint8_t buf2[] = { 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
0x00, 0x10, 0x00, 0x01, };
uint8_t buf3[] = { 0x00, 44, /* len 44 */
0x10, 0x32, /* tx id */
0x81, 0x80, /* flags: resp, recursion desired, recusion available */
0x00, 0x01, /* 1 query */
0x00, 0x01, /* 1 answer */
0x00, 0x00, 0x00, 0x00, /* no auth rr, additional rr */
/* query record */
0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C, /* name */
0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00, /* name cont */
0x00, 0x01, 0x00, 0x01, /* type a, class in */
/* answer */
0xc0, 0x0c, /* ref to name in query above */
0x00, 0x01, 0x00, 0x01, /* type a, class in */
0x00, 0x01, 0x40, 0xef, /* ttl */
0x00, 0x04, /* data len */
0x01, 0x02, 0x03, 0x04 }; /* addr */
/* google.net */
uint8_t buf4[] = { 0x00, 28, /* len 28 */
0x11, 0x33, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x6E, 0x65, 0x74, 0x00,
0x00, 0x10, 0x00, 0x01, };
Flow f;
RSDNSState *dns_state = NULL;
Packet *p1 = NULL, *p2 = NULL, *p3 = NULL, *p4 = NULL;
Signature *s = NULL;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
TcpSession ssn;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
p1 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1",
41424, 53);
p2 = UTHBuildPacketReal(buf2, sizeof(buf2), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1",
41424, 53);
p3 = UTHBuildPacketReal(buf3, sizeof(buf3), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1",
41424, 53);
p4 = UTHBuildPacketReal(buf4, sizeof(buf4), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1",
41424, 53);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.flags |= FLOW_IPV4;
f.proto = IPPROTO_TCP;
f.protomap = FlowGetProtoMapping(f.proto);
f.alproto = ALPROTO_DNS;
p1->flow = &f;
p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
p1->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;
p2->flow = &f;
p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
p2->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;
p3->flow = &f;
p3->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
p3->flowflags |= FLOW_PKT_TOCLIENT|FLOW_PKT_ESTABLISHED;
p4->flow = &f;
p4->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
p4->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.com\"; nocase; sid:1;)");
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.net\"; nocase; sid:2;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
STREAM_TOSERVER, buf1, sizeof(buf1));
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
FAIL;
}
FLOWLOCK_UNLOCK(&f);
dns_state = f.alstate;
FAIL_IF_NULL(dns_state);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
if (PacketAlertCheck(p1, 1)) {
printf("(p1) sig 1 alerted, but it should not have: ");
FAIL;
}
if (PacketAlertCheck(p1, 2)) {
printf("(p1) sig 2 did alert, but it should not have: ");
FAIL;
}
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER,
buf2, sizeof(buf2));
if (r != 0) {
printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
FAIL;
}
FLOWLOCK_UNLOCK(&f);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
if (!(PacketAlertCheck(p2, 1))) {
printf("sig 1 didn't alert, but it should have: ");
FAIL;
}
if (PacketAlertCheck(p2, 2)) {
printf("(p2) sig 2 did alert, but it should not have: ");
FAIL;
}
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOCLIENT,
buf3, sizeof(buf3));
if (r != 0) {
printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
FAIL;
}
FLOWLOCK_UNLOCK(&f);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
if (PacketAlertCheck(p3, 1)) {
printf("sig 1 did alert, but it should not have: ");
FAIL;
}
if (PacketAlertCheck(p3, 2)) {
printf("(p3) sig 2 did alert, but it should not have: ");
FAIL;
}
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER,
buf4, sizeof(buf4));
if (r != 0) {
printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
FAIL;
}
FLOWLOCK_UNLOCK(&f);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p4);
if (PacketAlertCheck(p4, 1)) {
printf("(p4) sig 1 did alert, but it should not have: ");
FAIL;
}
if (!(PacketAlertCheck(p4, 2))) {
printf("sig 1 didn't alert, but it should have: ");
FAIL;
}
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL)
DetectEngineThreadCtxDeinit(&tv, det_ctx);
if (de_ctx != NULL)
SigGroupCleanup(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePacket(p1);
UTHFreePacket(p2);
UTHFreePacket(p3);
UTHFreePacket(p4);
PASS;
}
/** \test simple google.com query matching (TCP splicing) */
static int DetectDnsQueryTest04(void)
{
/* google.com */
uint8_t buf1[] = { 0x00, 28,
0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, };
uint8_t buf2[] = { 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
0x00, 0x10, 0x00, 0x01, };
Flow f;
RSDNSState *dns_state = NULL;
Packet *p1 = NULL, *p2 = NULL;
Signature *s = NULL;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
TcpSession ssn;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
p1 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1",
41424, 53);
p2 = UTHBuildPacketReal(buf2, sizeof(buf2), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1",
41424, 53);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.flags |= FLOW_IPV4;
f.proto = IPPROTO_TCP;
f.protomap = FlowGetProtoMapping(f.proto);
f.alproto = ALPROTO_DNS;
p1->flow = &f;
p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
p1->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;
p2->flow = &f;
p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
p2->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
STREAM_TOSERVER, buf1, sizeof(buf1));
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
FAIL;
}
FLOWLOCK_UNLOCK(&f);
dns_state = f.alstate;
FAIL_IF_NULL(dns_state);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
if (PacketAlertCheck(p1, 1)) {
printf("sig 1 alerted, but it should not have: ");
FAIL;
}
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER,
buf2, sizeof(buf2));
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0\n", r);
FLOWLOCK_UNLOCK(&f);
FAIL;
}
FLOWLOCK_UNLOCK(&f);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
if (!(PacketAlertCheck(p2, 1))) {
printf("sig 1 didn't alert, but it should have: ");
FAIL;
}
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL)
DetectEngineThreadCtxDeinit(&tv, det_ctx);
if (de_ctx != NULL)
SigGroupCleanup(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePacket(p1);
UTHFreePacket(p2);
PASS;
}
/**
* \test Test matching for google in the issuer of a certificate
*
*/
static int DetectTlsIssuerTest02(void)
{
/* client hello */
uint8_t client_hello[] = {
0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
0x03, 0x04, 0x02, 0x02, 0x02
};
/* server hello */
uint8_t server_hello[] = {
0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
0x0b, 0x00, 0x02, 0x01, 0x00
};
/* certificate */
uint8_t certificate[] = {
0x16, 0x03, 0x03, 0x04, 0x93, 0x0b, 0x00, 0x04,
0x8f, 0x00, 0x04, 0x8c, 0x00, 0x04, 0x89, 0x30,
0x82, 0x04, 0x85, 0x30, 0x82, 0x03, 0x6d, 0xa0,
0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x5c, 0x19,
0xb7, 0xb1, 0x32, 0x3b, 0x1c, 0xa1, 0x30, 0x0d,
0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x49, 0x31,
0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11,
0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x47,
0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
0x63, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55,
0x04, 0x03, 0x13, 0x1c, 0x47, 0x6f, 0x6f, 0x67,
0x6c, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72,
0x6e, 0x65, 0x74, 0x20, 0x41, 0x75, 0x74, 0x68,
0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x37,
0x31, 0x33, 0x31, 0x33, 0x32, 0x34, 0x35, 0x32,
0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x30,
0x35, 0x31, 0x33, 0x31, 0x36, 0x30, 0x30, 0x5a,
0x30, 0x65, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14,
0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d,
0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20,
0x56, 0x69, 0x65, 0x77, 0x31, 0x13, 0x30, 0x11,
0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x47,
0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55,
0x04, 0x03, 0x0c, 0x0b, 0x2a, 0x2e, 0x67, 0x6f,
0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
0xa5, 0x0a, 0xb9, 0xb1, 0xca, 0x36, 0xd1, 0xae,
0x22, 0x38, 0x07, 0x06, 0xc9, 0x1a, 0x56, 0x4f,
0xbb, 0xdf, 0xa8, 0x6d, 0xbd, 0xee, 0x76, 0x16,
0xbc, 0x53, 0x3c, 0x03, 0x6a, 0x5c, 0x94, 0x50,
0x87, 0x2f, 0x28, 0xb4, 0x4e, 0xd5, 0x9b, 0x8f,
0xfe, 0x02, 0xde, 0x2a, 0x83, 0x01, 0xf9, 0x45,
0x61, 0x0e, 0x66, 0x0e, 0x24, 0x22, 0xe2, 0x59,
0x66, 0x0d, 0xd3, 0xe9, 0x77, 0x8a, 0x7e, 0x42,
0xaa, 0x5a, 0xf9, 0x05, 0xbf, 0x30, 0xc7, 0x03,
0x2b, 0xdc, 0xa6, 0x9c, 0xe0, 0x9f, 0x0d, 0xf1,
0x28, 0x19, 0xf8, 0xf2, 0x02, 0xfa, 0xbd, 0x62,
0xa0, 0xf3, 0x02, 0x2b, 0xcd, 0xf7, 0x09, 0x04,
0x3b, 0x52, 0xd8, 0x65, 0x4b, 0x4a, 0x70, 0xe4,
0x57, 0xc9, 0x2e, 0x2a, 0xf6, 0x9c, 0x6e, 0xd8,
0xde, 0x01, 0x52, 0xc9, 0x6f, 0xe9, 0xef, 0x82,
0xbc, 0x0b, 0x95, 0xb2, 0xef, 0xcb, 0x91, 0xa6,
0x0b, 0x2d, 0x14, 0xc6, 0x00, 0xa9, 0x33, 0x86,
0x64, 0x00, 0xd4, 0x92, 0x19, 0x53, 0x3d, 0xfd,
0xcd, 0xc6, 0x1a, 0xf2, 0x0e, 0x67, 0xc2, 0x1d,
0x2c, 0xe0, 0xe8, 0x29, 0x97, 0x1c, 0xb6, 0xc4,
0xb2, 0x02, 0x0c, 0x83, 0xb8, 0x60, 0x61, 0xf5,
0x61, 0x2d, 0x73, 0x5e, 0x85, 0x4d, 0xbd, 0x0d,
0xe7, 0x1a, 0x37, 0x56, 0x8d, 0xe5, 0x50, 0x0c,
0xc9, 0x64, 0x4c, 0x11, 0xea, 0xf3, 0xcb, 0x26,
0x34, 0xbd, 0x02, 0xf5, 0xc1, 0xfb, 0xa2, 0xec,
0x27, 0xbb, 0x60, 0xbe, 0x0b, 0xf6, 0xe7, 0x3c,
0x2d, 0xc9, 0xe7, 0xb0, 0x30, 0x28, 0x17, 0x3d,
0x90, 0xf1, 0x63, 0x8e, 0x49, 0xf7, 0x15, 0x78,
0x21, 0xcc, 0x45, 0xe6, 0x86, 0xb2, 0xd8, 0xb0,
0x2e, 0x5a, 0xb0, 0x58, 0xd3, 0xb6, 0x11, 0x40,
0xae, 0x81, 0x1f, 0x6b, 0x7a, 0xaf, 0x40, 0x50,
0xf9, 0x2e, 0x81, 0x8b, 0xec, 0x26, 0x11, 0x3f,
0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01,
0x53, 0x30, 0x82, 0x01, 0x4f, 0x30, 0x1d, 0x06,
0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14,
0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
0x05, 0x07, 0x03, 0x02, 0x30, 0x21, 0x06, 0x03,
0x55, 0x1d, 0x11, 0x04, 0x1a, 0x30, 0x18, 0x82,
0x0b, 0x2a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
0x65, 0x2e, 0x6e, 0x6f, 0x82, 0x09, 0x67, 0x6f,
0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
0x68, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
0x07, 0x01, 0x01, 0x04, 0x5c, 0x30, 0x5a, 0x30,
0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
0x07, 0x30, 0x02, 0x86, 0x1f, 0x68, 0x74, 0x74,
0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
0x2e, 0x63, 0x72, 0x74, 0x30, 0x2b, 0x06, 0x08,
0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73,
0x31, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73,
0x70, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
0x04, 0x16, 0x04, 0x14, 0xc6, 0x53, 0x87, 0x42,
0x2d, 0xc8, 0xee, 0x7a, 0x62, 0x1e, 0x83, 0xdb,
0x0d, 0xe2, 0x32, 0xeb, 0x8b, 0xaf, 0x69, 0x40,
0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f,
0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,
0x16, 0x80, 0x14, 0x4a, 0xdd, 0x06, 0x16, 0x1b,
0xbc, 0xf6, 0x68, 0xb5, 0x76, 0xf5, 0x81, 0xb6,
0xbb, 0x62, 0x1a, 0xba, 0x5a, 0x81, 0x2f, 0x30,
0x21, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x1a,
0x30, 0x18, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06,
0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x05, 0x01,
0x30, 0x08, 0x06, 0x06, 0x67, 0x81, 0x0c, 0x01,
0x02, 0x02, 0x30, 0x30, 0x06, 0x03, 0x55, 0x1d,
0x1f, 0x04, 0x29, 0x30, 0x27, 0x30, 0x25, 0xa0,
0x23, 0xa0, 0x21, 0x86, 0x1f, 0x68, 0x74, 0x74,
0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d, 0x06, 0x09,
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
0x7b, 0x27, 0x00, 0x46, 0x8f, 0xfd, 0x5b, 0xff,
0xcb, 0x05, 0x9b, 0xf7, 0xf1, 0x68, 0xf6, 0x9a,
0x7b, 0xba, 0x53, 0xdf, 0x63, 0xed, 0x11, 0x94,
0x39, 0xf2, 0xd0, 0x20, 0xcd, 0xa3, 0xc4, 0x98,
0xa5, 0x10, 0x74, 0xe7, 0x10, 0x6d, 0x07, 0xf8,
0x33, 0x87, 0x05, 0x43, 0x0e, 0x64, 0x77, 0x09,
0x18, 0x4f, 0x38, 0x2e, 0x45, 0xae, 0xa8, 0x34,
0x3a, 0xa8, 0x33, 0xac, 0x9d, 0xdd, 0x25, 0x91,
0x59, 0x43, 0xbe, 0x0f, 0x87, 0x16, 0x2f, 0xb5,
0x27, 0xfd, 0xce, 0x2f, 0x35, 0x5d, 0x12, 0xa1,
0x66, 0xac, 0xf7, 0x95, 0x38, 0x0f, 0xe5, 0xb1,
0x18, 0x18, 0xe6, 0x80, 0x52, 0x31, 0x8a, 0x66,
0x02, 0x52, 0x1a, 0xa4, 0x32, 0x6a, 0x61, 0x05,
0xcf, 0x1d, 0xf9, 0x90, 0x73, 0xf0, 0xeb, 0x20,
0x31, 0x7b, 0x2e, 0xc0, 0xb0, 0xfb, 0x5c, 0xcc,
0xdc, 0x76, 0x55, 0x72, 0xaf, 0xb1, 0x05, 0xf4,
0xad, 0xf9, 0xd7, 0x73, 0x5c, 0x2c, 0xbf, 0x0d,
0x84, 0x18, 0x01, 0x1d, 0x4d, 0x08, 0xa9, 0x4e,
0x37, 0xb7, 0x58, 0xc4, 0x05, 0x0e, 0x65, 0x63,
0xd2, 0x88, 0x02, 0xf5, 0x82, 0x17, 0x08, 0xd5,
0x8f, 0x80, 0xc7, 0x82, 0x29, 0xbb, 0xe1, 0x04,
0xbe, 0xf6, 0xe1, 0x8c, 0xbc, 0x3a, 0xf8, 0xf9,
0x56, 0xda, 0xdc, 0x8e, 0xc6, 0xe6, 0x63, 0x98,
0x12, 0x08, 0x41, 0x2c, 0x9d, 0x7c, 0x82, 0x0d,
0x1e, 0xea, 0xba, 0xde, 0x32, 0x09, 0xda, 0x52,
0x24, 0x4f, 0xcc, 0xb6, 0x09, 0x33, 0x8b, 0x00,
0xf9, 0x83, 0xb3, 0xc6, 0xa4, 0x90, 0x49, 0x83,
0x2d, 0x36, 0xd9, 0x11, 0x78, 0xd0, 0x62, 0x9f,
0xc4, 0x8f, 0x84, 0xba, 0x7f, 0xaa, 0x04, 0xf1,
0xd9, 0xa4, 0xad, 0x5d, 0x63, 0xee, 0x72, 0xc6,
0x4d, 0xd1, 0x4b, 0x41, 0x8f, 0x40, 0x0f, 0x7d,
0xcd, 0xb8, 0x2e, 0x5b, 0x6e, 0x21, 0xc9, 0x3d
};
Flow f;
SSLState *ssl_state = NULL;
TcpSession ssn;
Packet *p1 = NULL;
Packet *p2 = NULL;
Packet *p3 = NULL;
Signature *s = NULL;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1", 51251, 443);
p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
"192.168.1.1", "192.168.1.5", 443, 51251);
p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP,
"192.168.1.1", "192.168.1.5", 443, 51251);
FLOW_INITIALIZE(&f);
f.flags |= FLOW_IPV4;
f.proto = IPPROTO_TCP;
f.protomap = FlowGetProtoMapping(f.proto);
f.alproto = ALPROTO_TLS;
p1->flow = &f;
p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->pcap_cnt = 1;
p2->flow = &f;
p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
p2->flowflags |= FLOW_PKT_TOCLIENT;
p2->flowflags |= FLOW_PKT_ESTABLISHED;
p2->pcap_cnt = 2;
p3->flow = &f;
p3->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
p3->flowflags |= FLOW_PKT_TOCLIENT;
p3->flowflags |= FLOW_PKT_ESTABLISHED;
p3->pcap_cnt = 3;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
"(msg:\"Test tls_cert_issuer\"; "
"tls_cert_issuer; content:\"google\"; nocase; "
"sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, client_hello,
sizeof(client_hello));
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
ssl_state = f.alstate;
FAIL_IF_NULL(ssl_state);
SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
FAIL_IF(PacketAlertCheck(p1, 1));
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
server_hello, sizeof(server_hello));
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
FAIL_IF(PacketAlertCheck(p2, 1));
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
certificate, sizeof(certificate));
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
FAIL_IF_NOT(PacketAlertCheck(p3, 1));
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL)
DetectEngineThreadCtxDeinit(&tv, det_ctx);
if (de_ctx != NULL)
SigGroupCleanup(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePacket(p1);
UTHFreePacket(p2);
UTHFreePacket(p3);
PASS;
}
static int DetectThresholdTestSig3(void)
{
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
struct timeval ts;
DetectThresholdEntry *lookup_tsh = NULL;
HostInitConfig(HOST_QUIET);
memset (&ts, 0, sizeof(struct timeval));
TimeGet(&ts);
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:10;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
Host *host = HostLookupHostFromHash(&p->dst);
if (host == NULL) {
printf("host not found: ");
goto cleanup;
}
if (!(ThresholdHostHasThreshold(host))) {
HostRelease(host);
printf("host has no threshold: ");
goto cleanup;
}
HostRelease(host);
TimeSetIncrementTime(200);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
host = HostLookupHostFromHash(&p->dst);
if (host == NULL) {
printf("host not found: ");
goto cleanup;
}
HostRelease(host);
lookup_tsh = HostGetStorageById(host, ThresholdHostStorageId());
if (lookup_tsh == NULL) {
HostRelease(host);
printf("lookup_tsh is NULL: ");
goto cleanup;
}
alerts = lookup_tsh->current_count;
if (alerts == 3)
result = 1;
else {
printf("alerts %u != 3: ", alerts);
goto cleanup;
}
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
UTHFreePackets(&p, 1);
HostShutdown();
return result;
}
