/** * \test DetectIsdataatTestPacket03 is a test to check matches of * isdataat, and isdataat relative works if the previous keyword is byte_jump * (bug 146) */ int DetectIsdataatTestPacket03 (void) { int result = 0; uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0" "User-Agent: Wget/1.11.4" "Accept: */*" "Host: www.google.com" "Connection: Keep-Alive" "Date: Mon, 04 Jan 2010 17:29:39 GMT"; uint16_t buflen = strlen((char *)buf); Packet *p; p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); if (p == NULL) goto end; char sig[] = "alert tcp any any -> any any (msg:\"byte_jump match = 0 " "with distance content HTTP/1. relative against HTTP/1.0\"; byte_jump:1," "46,string,dec; isdataat:87,relative; sid:109; rev:1;)"; result = UTHPacketMatchSig(p, sig); UTHFreePacket(p); end: return result; }
/** * \test DetectWithinTestPacket01 is a test to check matches of * within, if the previous keyword is pcre (bug 145) */ int DetectWithinTestPacket01 (void) { int result = 0; uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0" "User-Agent: Wget/1.11.4" "Accept: */*" "Host: www.google.com" "Connection: Keep-Alive" "Date: Mon, 04 Jan 2010 17:29:39 GMT"; uint16_t buflen = strlen((char *)buf); Packet *p; p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); if (p == NULL) goto end; char sig[] = "alert tcp any any -> any any (msg:\"pcre with within " "modifier\"; pcre:\"/AllWorkAndNoPlayMakesWillADullBoy/\";" " content:\"HTTP\"; within:5; sid:49; rev:1;)"; result = UTHPacketMatchSig(p, sig); UTHFreePacket(p); end: return result; }
int DetectByteJumpTestPacket03(void) { int result = 0; uint8_t *buf = NULL; uint16_t buflen = 0; buf = SCMalloc(4); if (unlikely(buf == NULL)) { printf("malloc failed\n"); exit(EXIT_FAILURE); } memcpy(buf, "boom", 4); buflen = 4; Packet *p; p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); if (p == NULL) goto end; char sig[] = "alert tcp any any -> any any (msg:\"byte_jump\"; " "byte_jump:1,214748364; sid:1; rev:1;)"; result = !UTHPacketMatchSig(p, sig); UTHFreePacket(p); end: if (buf != NULL) SCFree(buf); return result; }
/** * \test DetectIsdataatTestPacket02 is a test to check matches of * isdataat, and isdataat relative works if the previous keyword is pcre * (bug 144) */ int DetectIsdataatTestPacket02 (void) { int result = 0; uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0" "User-Agent: Wget/1.11.4" "Accept: */*" "Host: www.google.com" "Connection: Keep-Alive" "Date: Mon, 04 Jan 2010 17:29:39 GMT"; uint16_t buflen = strlen((char *)buf); Packet *p; p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); if (p == NULL) goto end; char sig[] = "alert tcp any any -> any any (msg:\"pcre with" " isdataat + relative\"; pcre:\"/A(ll|pp)WorkAndNoPlayMakesWillA" "DullBoy/\"; isdataat:96,relative; sid:1;)"; result = UTHPacketMatchSig(p, sig); UTHFreePacket(p); end: return result; }
/** * \test DetectByteJumpTestPacket02 is a test to check matches of * byte_jump and byte_jump relative works if the previous keyword is byte_jump * (bug 165) */ int DetectByteJumpTestPacket02 (void) { int result = 0; uint8_t buf[] = { 0x00, 0x00, 0x00, 0x77, 0xff, 0x53, 0x4d, 0x42, 0x2f, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x92, 0xa4, 0x01, 0x08, 0x17, 0x5c, 0x0e, 0xff, 0x00, 0x00, 0x00, 0x01, 0x40, 0x48, 0x00, 0x00, 0x00, 0xff }; uint16_t buflen = sizeof(buf); Packet *p; p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); if (p == NULL) goto end; char sig[] = "alert tcp any any -> any any (msg:\"byte_jump with byte_jump" " + relative\"; byte_jump:1,13; byte_jump:4,0,relative; " "content:\"|48 00 00|\"; within:3; sid:144; rev:1;)"; result = UTHPacketMatchSig(p, sig); UTHFreePacket(p); end: return result; }
/** * \test DetectByteJumpTestPacket01 is a test to check matches of * byte_jump and byte_jump relative works if the previous keyword is pcre * (bug 142) */ int DetectByteJumpTestPacket01 (void) { int result = 0; uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0" "User-Agent: Wget/1.11.4" "Accept: */*" "Host: www.google.com" "Connection: Keep-Alive" "Date: Mon, 04 Jan 2010 17:29:39 GMT"; uint16_t buflen = strlen((char *)buf); Packet *p; p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); if (p == NULL) goto end; char sig[] = "alert tcp any any -> any any (msg:\"pcre + byte_test + " "relative\"; pcre:\"/AllWorkAndNoPlayMakesWillADullBoy/\"; byte_jump:1,6," "relative,string,dec; content:\"0\"; sid:134; rev:1;)"; result = UTHPacketMatchSig(p, sig); UTHFreePacket(p); end: return result; }
static int PayloadLenFieldTest2() { uint8_t payload[4096]; uint16_t len = sizeof(payload); memcpy(payload + 2, &len, 4); Packet *p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP); int res = UTHPacketMatchSig(p, "alert tcp any any -> any any (msg:\"dummy\"; payloadlenfield:offset:2 len:4; sid:1;)"); UTHFreePacket(p); return res; }
static int PayloadLenFieldTest1() { uint8_t payload[] = { 1,2,3,4,5,6,7,8,9,10 }; uint8_t len = sizeof(payload); payload[2] = len; Packet *p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP); int res = UTHPacketMatchSig(p, "alert tcp any any -> any any (msg:\"dummy\"; payloadlenfield:offset:2 len:1; sid:1;)"); UTHFreePacket(p); return res; }
static int PayloadLenFieldTest3() { uint8_t payload[256]; for (int i = 0; i < 256; ++i) { payload[i] = i; } uint16_t len = sizeof(payload); memcpy(payload + 1, &len, 2); Packet *p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP); int res = UTHPacketMatchSig(p, "alert tcp any any -> any any (msg:\"dummy\"; payloadlenfield:offset:1 len:2; sid:1;)"); UTHFreePacket(p); return res; }
/** * \test check matches of with from_beginning (bug 626/627) */ int DetectByteJumpTestPacket07 (void) { int result = 0; uint8_t *buf = (uint8_t *)"XX04abcdABCD"; uint16_t buflen = strlen((char *)buf); Packet *p; p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); if (p == NULL) goto end; char sig[] = "alert tcp any any -> any any (content:\"XX\"; byte_jump:2,0,relative,string,dec,from_beginning; content:\"abcdABCD\"; distance:0; within:8; sid:1; rev:1;)"; result = UTHPacketMatchSig(p, sig) ? 1 : 0; UTHFreePacket(p); end: return result; }
int DetectWithinTestPacket02 (void) { int result = 0; uint8_t *buf = (uint8_t *)"Zero Five Ten Fourteen"; uint16_t buflen = strlen((char *)buf); Packet *p; p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); if (p == NULL) goto end; char sig[] = "alert tcp any any -> any any (msg:\"pcre with within " "modifier\"; content:\"Five\"; content:\"Ten\"; within:3; distance:1; sid:1;)"; result = UTHPacketMatchSig(p, sig); UTHFreePacket(p); end: return result; }
/** * \test DetectDistanceTestPacket01 is a test to check matches of * distance works, if the previous keyword is byte_jump and content * (bug 163) */ int DetectDistanceTestPacket01 (void) { int result = 0; uint8_t buf[] = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00 }; uint16_t buflen = sizeof(buf); Packet *p; p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); if (p == NULL) goto end; char sig[] = "alert tcp any any -> any any (msg:\"suricata test\"; " "byte_jump:1,2; content:\"|00|\"; " "within:1; distance:2; sid:98711212; rev:1;)"; p->flowflags = FLOW_PKT_ESTABLISHED | FLOW_PKT_TOCLIENT; result = UTHPacketMatchSig(p, sig); UTHFreePacket(p); end: return result; }