コード例 #1
0
ファイル: detect-isdataat.c プロジェクト: 58698301/suricata
/**
 * \test DetectIsdataatTestPacket02 is a test to check matches of
 * isdataat, and isdataat relative works if the previous keyword is pcre
 * (bug 144)
 */
int DetectIsdataatTestPacket02 (void) {
    int result = 0;
    uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
                    "User-Agent: Wget/1.11.4"
                    "Accept: */*"
                    "Host: www.google.com"
                    "Connection: Keep-Alive"
                    "Date: Mon, 04 Jan 2010 17:29:39 GMT";
    uint16_t buflen = strlen((char *)buf);
    Packet *p;
    p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);

    if (p == NULL)
        goto end;

    char sig[] = "alert tcp any any -> any any (msg:\"pcre with"
            " isdataat + relative\"; pcre:\"/A(ll|pp)WorkAndNoPlayMakesWillA"
            "DullBoy/\"; isdataat:96,relative; sid:1;)";

    result = UTHPacketMatchSig(p, sig);

    UTHFreePacket(p);
end:
    return result;
}
コード例 #2
0
ファイル: detect-bytejump.c プロジェクト: 2help/suricata
/**
 * \test DetectByteJumpTestPacket02 is a test to check matches of
 * byte_jump and byte_jump relative works if the previous keyword is byte_jump
 * (bug 165)
 */
int DetectByteJumpTestPacket02 (void) {
    int result = 0;
    uint8_t buf[] = { 0x00, 0x00, 0x00, 0x77, 0xff, 0x53,
                    0x4d, 0x42, 0x2f, 0x00, 0x00, 0x00, 0x00, 0x18,
                    0x01, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
                    0x92, 0xa4, 0x01, 0x08, 0x17, 0x5c, 0x0e, 0xff,
                    0x00, 0x00, 0x00, 0x01, 0x40, 0x48, 0x00, 0x00,
                    0x00, 0xff };
    uint16_t buflen = sizeof(buf);
    Packet *p;
    p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);

    if (p == NULL)
        goto end;

    char sig[] = "alert tcp any any -> any any (msg:\"byte_jump with byte_jump"
                 " + relative\"; byte_jump:1,13; byte_jump:4,0,relative; "
                 "content:\"|48 00 00|\"; within:3; sid:144; rev:1;)";

    result = UTHPacketMatchSig(p, sig);

    UTHFreePacket(p);
end:
    return result;
}
コード例 #3
0
static int PayloadTestSig21(void)
{
    uint8_t buf[] = {
        0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36, /* the last byte is 2 */
        0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
        0x0E, 0x0F,
    };
    uint16_t buflen = sizeof(buf);
    Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
    int result = 0;

    char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
        "content:\"|01 02 03 04|\"; "
        "byte_extract:1,2,one,string,dec,relative; "
        "content:\"|03 04 05 06|\"; depth:one; sid:1;)";

    if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
        result = 0;
        goto end;
    }

    result = 1;

end:
    if (p != NULL)
        UTHFreePacket(p);
    return result;
}
コード例 #4
0
/*
 * \test Test negative byte extract.
 */
static int PayloadTestSig26(void)
{
    uint8_t buf[] = {
        0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
        0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
        0x0E, 0x0F,
    };
    uint16_t buflen = sizeof(buf);
    Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
    int result = 0;

    char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
        "content:\"|35 07 08 09|\"; "
        "byte_extract:1,-3000,one,string,dec,relative; "
        "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";

    if (UTHPacketMatchSigMpm(p, sig, MPM_AC) != 0) {
        result = 0;
        goto end;
    }

    result = 1;

end:
    if (p != NULL)
        UTHFreePacket(p);
    return result;
}
コード例 #5
0
ファイル: detect-bytejump.c プロジェクト: 2help/suricata
/**
 * \test DetectByteJumpTestPacket01 is a test to check matches of
 * byte_jump and byte_jump relative works if the previous keyword is pcre
 * (bug 142)
 */
int DetectByteJumpTestPacket01 (void) {
    int result = 0;
    uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
                    "User-Agent: Wget/1.11.4"
                    "Accept: */*"
                    "Host: www.google.com"
                    "Connection: Keep-Alive"
                    "Date: Mon, 04 Jan 2010 17:29:39 GMT";
    uint16_t buflen = strlen((char *)buf);
    Packet *p;
    p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);

    if (p == NULL)
        goto end;

    char sig[] = "alert tcp any any -> any any (msg:\"pcre + byte_test + "
    "relative\"; pcre:\"/AllWorkAndNoPlayMakesWillADullBoy/\"; byte_jump:1,6,"
    "relative,string,dec; content:\"0\"; sid:134; rev:1;)";

    result = UTHPacketMatchSig(p, sig);

    UTHFreePacket(p);
end:
    return result;
}
コード例 #6
0
ファイル: detect-isdataat.c プロジェクト: 58698301/suricata
/**
 * \test DetectIsdataatTestPacket03 is a test to check matches of
 * isdataat, and isdataat relative works if the previous keyword is byte_jump
 * (bug 146)
 */
int DetectIsdataatTestPacket03 (void) {
    int result = 0;
    uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
                    "User-Agent: Wget/1.11.4"
                    "Accept: */*"
                    "Host: www.google.com"
                    "Connection: Keep-Alive"
                    "Date: Mon, 04 Jan 2010 17:29:39 GMT";
    uint16_t buflen = strlen((char *)buf);
    Packet *p;
    p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);

    if (p == NULL)
        goto end;

    char sig[] = "alert tcp any any -> any any (msg:\"byte_jump match = 0 "
    "with distance content HTTP/1. relative against HTTP/1.0\"; byte_jump:1,"
    "46,string,dec; isdataat:87,relative; sid:109; rev:1;)";

    result = UTHPacketMatchSig(p, sig);

    UTHFreePacket(p);
end:
    return result;
}
コード例 #7
0
static int DetectBase64DecodeTestDecodeRelative(void)
{
    ThreadVars tv;
    DetectEngineCtx *de_ctx = NULL;
    DetectEngineThreadCtx *det_ctx = NULL;
    Packet *p = NULL;
    int retval = 0;

    uint8_t payload[] = {
        'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
        'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
        'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
    };
    char decoded[] = "Hello World";

    memset(&tv, 0, sizeof(tv));

    if ((de_ctx = DetectEngineCtxInit()) == NULL) {
        goto end;
    }

    de_ctx->sig_list = SigInit(de_ctx,
                               "alert tcp any any -> any any (msg:\"base64 test\"; "
                               "content:\"aaaaaaaa\"; "
                               "base64_decode: relative; "
                               "sid:1; rev:1;)");
    if (de_ctx->sig_list == NULL) {
        goto end;
    }
    SigGroupBuild(de_ctx);
    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);

    p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
    if (p == NULL) {
        goto end;
    }

    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
    if (det_ctx->base64_decoded_len != (int)strlen(decoded)) {
        goto end;
    }
    if (memcmp(det_ctx->base64_decoded, decoded, strlen(decoded))) {
        goto end;
    }

    retval = 1;
end:
    if (det_ctx != NULL) {
        DetectEngineThreadCtxDeinit(&tv, det_ctx);
    }
    if (de_ctx != NULL) {
        SigCleanSignatures(de_ctx);
        SigGroupCleanup(de_ctx);
        DetectEngineCtxFree(de_ctx);
    }
    if (p != NULL) {
        UTHFreePacket(p);
    }
    return retval;
}
コード例 #8
0
uint32_t UTHBuildPacketOfFlows(uint32_t start, uint32_t end, uint8_t dir)
{
    uint32_t i = start;
    uint8_t payload[] = "Payload";
    for (; i < end; i++) {
        Packet *p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
        if (dir == 0) {
            p->src.addr_data32[0] = i;
            p->dst.addr_data32[0] = i + 1;
        } else {
            p->src.addr_data32[0] = i + 1;
            p->dst.addr_data32[0] = i;
        }
        FlowHandlePacket(NULL, NULL, p);
        if (p->flow != NULL) {
            SC_ATOMIC_RESET(p->flow->use_cnt);
            FLOWLOCK_UNLOCK(p->flow);
        }

        /* Now the queues shoul be updated */
        UTHFreePacket(p);
    }

    return i;
}
コード例 #9
0
ファイル: detect-within.c プロジェクト: jerryma119/suricata
 /**
 * \test DetectWithinTestPacket01 is a test to check matches of
 * within, if the previous keyword is pcre (bug 145)
 */
int DetectWithinTestPacket01 (void) {
    int result = 0;
    uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
                    "User-Agent: Wget/1.11.4"
                    "Accept: */*"
                    "Host: www.google.com"
                    "Connection: Keep-Alive"
                    "Date: Mon, 04 Jan 2010 17:29:39 GMT";
    uint16_t buflen = strlen((char *)buf);
    Packet *p;
    p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);

    if (p == NULL)
        goto end;

    char sig[] = "alert tcp any any -> any any (msg:\"pcre with within "
                 "modifier\"; pcre:\"/AllWorkAndNoPlayMakesWillADullBoy/\";"
                 " content:\"HTTP\"; within:5; sid:49; rev:1;)";

    result = UTHPacketMatchSig(p, sig);

    UTHFreePacket(p);
end:
    return result;
}
コード例 #10
0
ファイル: detect-bytejump.c プロジェクト: 2help/suricata
int DetectByteJumpTestPacket03(void)
{
    int result = 0;
    uint8_t *buf = NULL;
    uint16_t buflen = 0;
    buf = SCMalloc(4);
    if (unlikely(buf == NULL)) {
        printf("malloc failed\n");
        exit(EXIT_FAILURE);
    }
    memcpy(buf, "boom", 4);
    buflen = 4;

    Packet *p;
    p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);

    if (p == NULL)
        goto end;

    char sig[] = "alert tcp any any -> any any (msg:\"byte_jump\"; "
        "byte_jump:1,214748364; sid:1; rev:1;)";

    result = !UTHPacketMatchSig(p, sig);

    UTHFreePacket(p);

end:
    if (buf != NULL)
        SCFree(buf);
    return result;
}
コード例 #11
0
ファイル: stream-tcp-inline.c プロジェクト: 58698301/suricata
/** \test full overlap */
static int StreamTcpInlineTest01(void) {
    SCEnter();

    uint8_t payload1[] = "AAC"; /* packet */
    uint8_t payload2[] = "ABC"; /* segment */
    int result = 0;
    TcpSegment *t = NULL;

    Packet *p = UTHBuildPacketSrcDstPorts(payload1, sizeof(payload1)-1, IPPROTO_TCP, 1024, 80);
    if (p == NULL || p->tcph == NULL) {
        printf("generating test packet failed: ");
        goto end;
    }
    p->tcph->th_seq = htonl(10000000UL);

    t = SCMalloc(sizeof(TcpSegment));
    if (t == NULL) {
        printf("alloc TcpSegment failed: ");
        goto end;
    }
    memset(t, 0x00, sizeof(TcpSegment));
    t->payload = payload2;
    t->payload_len = sizeof(payload2)-1;
    t->seq = 10000000UL;

    StreamTcpInlineSegmentReplacePacket(p, t);

    if (!(p->flags & PKT_STREAM_MODIFIED)) {
        printf("PKT_STREAM_MODIFIED pkt flag not set: ");
        goto end;
    }

    if (memcmp(p->payload, t->payload, p->payload_len) != 0) {
        printf("Packet:\n");
        PrintRawDataFp(stdout,p->payload,p->payload_len);
        printf("Segment:\n");
        PrintRawDataFp(stdout,t->payload,t->payload_len);
        printf("payloads didn't match: ");
        goto end;
    }

    uint8_t *pkt = GET_PKT_DATA(p)+(GET_PKT_LEN(p)-sizeof(payload1)+1);
    if (memcmp(pkt,payload2,sizeof(payload2)-1) != 0) {
        PrintRawDataFp(stdout,pkt,3);
        PrintRawDataFp(stdout,GET_PKT_DATA(p),GET_PKT_LEN(p));
        goto end;
    }

    result = 1;
end:
    if (p != NULL) {
        UTHFreePacket(p);
    }
    if (t != NULL) {
        SCFree(t);
    }
    SCReturnInt(result);
}
コード例 #12
0
/**
 * \brief UTHFreePackets: function to release the allocated data
 * from UTHBuildPacket and the packet itself
 *
 * \param p pointer to the Packet
 */
void UTHFreePackets(Packet **p, int numpkts)
{
    if (p == NULL)
        return;

    int i = 0;
    for (; i < numpkts; i++) {
        UTHFreePacket(p[i]);
    }
}
コード例 #13
0
static int DetectBase64DecodeTestDecodeLargeOffset(void)
{
    ThreadVars tv;
    DetectEngineCtx *de_ctx = NULL;
    DetectEngineThreadCtx *det_ctx = NULL;
    Packet *p = NULL;
    int retval = 0;

    uint8_t payload[] = {
        'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
        'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
    };

    memset(&tv, 0, sizeof(tv));

    if ((de_ctx = DetectEngineCtxInit()) == NULL) {
        goto end;
    }

    /* Offset is out of range. */
    de_ctx->sig_list = SigInit(de_ctx,
                               "alert tcp any any -> any any (msg:\"base64 test\"; "
                               "base64_decode: bytes 16, offset 32; "
                               "sid:1; rev:1;)");
    if (de_ctx->sig_list == NULL) {
        goto end;
    }
    SigGroupBuild(de_ctx);
    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);

    p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
    if (p == NULL) {
        goto end;
    }

    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
    if (det_ctx->base64_decoded_len != 0) {
        goto end;
    }

    retval = 1;
end:
    if (det_ctx != NULL) {
        DetectEngineThreadCtxDeinit(&tv, det_ctx);
    }
    if (de_ctx != NULL) {
        SigCleanSignatures(de_ctx);
        SigGroupCleanup(de_ctx);
        DetectEngineCtxFree(de_ctx);
    }
    if (p != NULL) {
        UTHFreePacket(p);
    }
    return retval;
}
コード例 #14
0
/**
 * \brief UTHBuildPacketTest02 wrapper to check packets for unittests
 */
int UTHBuildPacketTest02(void)
{
    uint8_t payload[] = "Payload";

    Packet *p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_UDP);

    int ret = CheckUTHTestPacket(p, IPPROTO_UDP);
    UTHFreePacket(p);

    return ret;
}
コード例 #15
0
/**
 * \brief UTHBuildPacketRealTest02 wrapper to check packets for unittests
 */
int UTHBuildPacketRealTest02(void)
{
    uint8_t payload[] = "Payload";

    Packet *p = UTHBuildPacketReal(payload, sizeof(payload), IPPROTO_UDP,
                                   "192.168.1.5", "192.168.1.1", 41424, 80);

    int ret = CheckUTHTestPacket(p, IPPROTO_UDP);
    UTHFreePacket(p);
    return ret;
}
コード例 #16
0
/**
 * \brief UTHBuildPacketSrcDstTest01 wrapper to check packets for unittests
 */
int UTHBuildPacketSrcDstTest01(void)
{
    uint8_t payload[] = "Payload";

    Packet *p = UTHBuildPacketSrcDst(payload, sizeof(payload), IPPROTO_TCP,
                                     "192.168.1.5", "192.168.1.1");

    int ret = CheckUTHTestPacket(p, IPPROTO_TCP);
    UTHFreePacket(p);

    return ret;
}
コード例 #17
0
/**
 * \brief UTHBuildPacketSrcDstPortsTest01 wrapper to check packets for unittests
 */
int UTHBuildPacketSrcDstPortsTest01(void)
{
    uint8_t payload[] = "Payload";

    Packet *p = UTHBuildPacketSrcDstPorts(payload, sizeof(payload), IPPROTO_TCP,
                                          41424, 80);

    int ret = CheckUTHTestPacket(p, IPPROTO_TCP);
    UTHFreePacket(p);

    return ret;
}
コード例 #18
0
static int PayloadLenFieldTest2() {
	uint8_t payload[4096];

	uint16_t len = sizeof(payload);

	memcpy(payload + 2, &len, 4);

	Packet *p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);

	int res = UTHPacketMatchSig(p, "alert tcp any any -> any any (msg:\"dummy\"; payloadlenfield:offset:2 len:4; sid:1;)");

	UTHFreePacket(p);

	return res;
}
コード例 #19
0
static int PayloadLenFieldTest1() {
	uint8_t payload[] = {
			1,2,3,4,5,6,7,8,9,10
	};
	uint8_t len = sizeof(payload);

	payload[2] = len;

	Packet *p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);

	int res = UTHPacketMatchSig(p, "alert tcp any any -> any any (msg:\"dummy\"; payloadlenfield:offset:2 len:1; sid:1;)");

	UTHFreePacket(p);

	return res;
}
コード例 #20
0
static int DetectFlowSigTest01(void)
{
    ThreadVars th_v;
    DecodeThreadVars dtv;
    DetectEngineCtx *de_ctx = NULL;
    DetectEngineThreadCtx *det_ctx = NULL;
    uint8_t *buf = (uint8_t *)"supernovaduper";
    uint16_t buflen = strlen((char *)buf);

    Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
    FAIL_IF_NULL(p);

    char *sig1 = "alert tcp any any -> any any (msg:\"dummy\"; "
        "content:\"nova\"; flow:no_stream; sid:1;)";

    memset(&dtv, 0, sizeof(DecodeThreadVars));
    memset(&th_v, 0, sizeof(th_v));

    de_ctx = DetectEngineCtxInit();
    FAIL_IF_NULL(de_ctx);
    de_ctx->flags |= DE_QUIET;

    de_ctx->sig_list = SigInit(de_ctx, sig1);
    FAIL_IF_NULL(de_ctx->sig_list);

    SigGroupBuild(de_ctx);
    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);

    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
    FAIL_IF(PacketAlertCheck(p, 1) != 1);

    if (det_ctx != NULL)
        DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);

    if (de_ctx != NULL) {
        SigGroupCleanup(de_ctx);
        SigCleanSignatures(de_ctx);
        DetectEngineCtxFree(de_ctx);
    }

    if (p != NULL)
        UTHFreePacket(p);

    PASS;
}
コード例 #21
0
ファイル: detect-bytejump.c プロジェクト: 2help/suricata
/**
 * \test check matches of with from_beginning (bug 626/627)
 */
int DetectByteJumpTestPacket07 (void) {
    int result = 0;
    uint8_t *buf = (uint8_t *)"XX04abcdABCD";
    uint16_t buflen = strlen((char *)buf);
    Packet *p;
    p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);

    if (p == NULL)
        goto end;

    char sig[] = "alert tcp any any -> any any (content:\"XX\"; byte_jump:2,0,relative,string,dec,from_beginning; content:\"abcdABCD\"; distance:0; within:8; sid:1; rev:1;)";

    result = UTHPacketMatchSig(p, sig) ? 1 : 0;

    UTHFreePacket(p);
end:
    return result;
}
コード例 #22
0
static int PayloadLenFieldTest3() {
	uint8_t payload[256];
	for (int i = 0; i < 256; ++i) {
		payload[i] = i;
	}

	uint16_t len = sizeof(payload);

	memcpy(payload + 1, &len, 2);

	Packet *p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);

	int res = UTHPacketMatchSig(p, "alert tcp any any -> any any (msg:\"dummy\"; payloadlenfield:offset:1 len:2; sid:1;)");

	UTHFreePacket(p);

	return res;
}
コード例 #23
0
int DetectWithinTestPacket02 (void) {
    int result = 0;
    uint8_t *buf = (uint8_t *)"Zero Five Ten Fourteen";
    uint16_t buflen = strlen((char *)buf);
    Packet *p;
    p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);

    if (p == NULL)
        goto end;

    char sig[] = "alert tcp any any -> any any (msg:\"pcre with within "
                 "modifier\"; content:\"Five\"; content:\"Ten\"; within:3; distance:1; sid:1;)";

    result = UTHPacketMatchSig(p, sig);

    UTHFreePacket(p);
end:
    return result;
}
コード例 #24
0
ファイル: detect-engine-payload.c プロジェクト: norg/suricata
/**
 * \test Test byte_jump.
 */
static int PayloadTestSig32(void)
{
    uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
    uint16_t buflen = strlen((char *)buf);
    Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
    int result = 0;

    char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
        "content:\"message\"; byte_jump:2,-14,string,dec,relative; content:\"card\"; within:4; sid:1;)";

    if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0)
        goto end;

    result = 1;
end:
    if (p != NULL)
        UTHFreePacket(p);
    return result;
}
コード例 #25
0
/** \test Negative distance matching */
static int PayloadTestSig03 (void) {
    uint8_t *buf = (uint8_t *)
                    "abcaBcd";
    uint16_t buflen = strlen((char *)buf);
    Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
    int result = 0;

    char sig[] = "alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
    if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
        result = 0;
        goto end;
    }

    result = 1;
end:
    if (p != NULL)
        UTHFreePacket(p);
    return result;
}
コード例 #26
0
/**
 * \test Test byte_extract.
 */
static int PayloadTestSig34(void)
{
    uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
    uint16_t buflen = strlen((char *)buf);
    Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
    int result = 0;

    char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
        "content:\"message\"; byte_extract:1,-14,boom,string,dec,relative; sid:1;)";

    if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0)
        goto end;

    result = 1;
end:
    if (p != NULL)
        UTHFreePacket(p);
    return result;
}
コード例 #27
0
static int PayloadTestSig31(void)
{
    uint8_t *buf = (uint8_t *)
                    "xyonexxxxxxtwojunkonetwo";
    uint16_t buflen = strlen((char *)buf);
    Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
    int result = 0;

    char sig[] = "alert tcp any any -> any any (content:\"one\"; pcre:\"/(fiv|^two)/R\"; sid:1;)";
    if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 0) {
        result = 0;
        goto end;
    }

    result = 1;
end:
    if (p != NULL)
        UTHFreePacket(p);
    return result;
}
コード例 #28
0
/**
 * \test Test multiple relative matches with negative matches
 *       and show the need for det_ctx->discontinue_matching.
 */
static int PayloadTestSig08(void)
{
    uint8_t *buf = (uint8_t *)"we need to fix this and yes fix this now";
    uint16_t buflen = strlen((char *)buf);
    Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
    int result = 0;

    char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
        "content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";

    if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) != 1) {
        goto end;
    }

    result = 1;
end:
    if (p != NULL)
        UTHFreePacket(p);
    return result;
}
コード例 #29
0
int StreamTcpUTAddSegmentWithByte(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpStream *stream, uint32_t seq, uint8_t byte, uint16_t len) {
    TcpSegment *s = StreamTcpGetSegment(tv, ra_ctx, len);
    if (s == NULL) {
        return -1;
    }

    s->seq = seq;
    s->payload_len = len;
    memset(s->payload, byte, len);

    Packet *p = UTHBuildPacketReal(s->payload, s->payload_len, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
    if (p == NULL) {
        return -1;
    }
    p->tcph->th_seq = htonl(seq);

    if (StreamTcpReassembleInsertSegment(tv, ra_ctx, stream, s, p) < 0)
        return -1;
    UTHFreePacket(p);
    return 0;
}
コード例 #30
0
/**
 * \test normal & negated matching, both absolute and relative
 */
static int PayloadTestSig14(void)
{
    uint8_t *buf = (uint8_t *)"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5";
    uint16_t buflen = strlen((char *)buf);
    Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
    int result = 0;

    char sig[] = "alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";

    //char sig[] = "alert tcp any any -> any any (content:\"User-Agent: Mozilla/5.0 (Macintosh; \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";

    if (UTHPacketMatchSigMpm(p, sig, DEFAULT_MPM) == 1) {
        goto end;
    }

    result = 1;
end:
    if (p != NULL)
        UTHFreePacket(p);
    return result;
}